Training at the Top

  • Comments posted to this topic are about the item Training at the Top

  • I am not being facetious here (I know, surprise) but perhaps putting the cyber security education and implementation remit under the Health & Safety umbrella might be all it takes. When it sits with IT it gets ignored, however, H&S rarely seems to be.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • We used a service to send phishing emails to our entire company. The results were pretty interesting. What was more interesting was the company we used (Kevin Mintick (sp) owns it or at least is the public face).

  • Gary Varga (1/28/2016)


    I am not being facetious here (I know, surprise) but perhaps putting the cyber security education and implementation remit under the Health & Safety umbrella might be all it takes. When it sits with IT it gets ignored, however, H&S rarely seems to be.

    Ooohhh dark cynicism. But what is cynicism but reality without the rose tinted spectacles.

    Security is a fast !moving target. In the past year I have had to learn a lot about security in the cloud. I'm shocked by the amount I didn't know and even more shocked by the stuff I still need to know.

  • Gary Varga (1/28/2016)


    I am not being facetious here (I know, surprise) but perhaps putting the cyber security education and implementation remit under the Health & Safety umbrella might be all it takes. When it sits with IT it gets ignored, however, H&S rarely seems to be.

    I absolutely agree. That's why I'm considering putting up a sign at my desk that says "Please go away because OSHA has declared that if just one more person rides my a55, I have to install handrails". 😀

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • David.Poole (1/28/2016)


    Gary Varga (1/28/2016)


    I am not being facetious here (I know, surprise) but perhaps putting the cyber security education and implementation remit under the Health & Safety umbrella might be all it takes. When it sits with IT it gets ignored, however, H&S rarely seems to be.

    Ooohhh dark cynicism. But what is cynicism but reality without the rose tinted spectacles.

    Security is a fast !moving target. In the past year I have had to learn a lot about security in the cloud. I'm shocked by the amount I didn't know and even more shocked by the stuff I still need to know.

    I feel the same way sometimes. There are numerous security nuances that are treated differently from industry to industry and business to business. I think a good example would be all of the government stigs. There is a lot to learn with those things.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • Jeff Moden (1/28/2016)


    Gary Varga (1/28/2016)


    I am not being facetious here (I know, surprise) but perhaps putting the cyber security education and implementation remit under the Health & Safety umbrella might be all it takes. When it sits with IT it gets ignored, however, H&S rarely seems to be.

    I absolutely agree. That's why I'm considering putting up a sign at my desk that says "Please go away because OSHA has declared that if just one more person rides my a55, I have to install handrails". 😀

    Just handrails or is there a ramp to go with them?

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • SQLRNNR (1/29/2016)


    Jeff Moden (1/28/2016)


    Gary Varga (1/28/2016)


    I am not being facetious here (I know, surprise) but perhaps putting the cyber security education and implementation remit under the Health & Safety umbrella might be all it takes. When it sits with IT it gets ignored, however, H&S rarely seems to be.

    I absolutely agree. That's why I'm considering putting up a sign at my desk that says "Please go away because OSHA has declared that if just one more person rides my a55, I have to install handrails". 😀

    Just handrails or is there a ramp to go with them?

    ...and a ticketing machine???

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • I love the idea of forcing the C-level to actually become acquainted with security. Then again, given the PHB factor I suppose I should be careful what I ask for...

    On a more cynical note I suspect it will never happen, and if it does the wrong threats will be emphasized.

    Sigh.

    I've already been through customer mandated "security audits" that did nothing of the kind....

    Edit: spelling, should never post pre-caffeine!

  • Many applications are now written to be executed in a web browser which in itself poses a threat, because users may use multiple tabs and have sites opened that run some sort of an engine and a program that breaches security. The implications are serious yet we insist on developing and using that kind of technology. On the other side sits an admin who should be responsible for making sure your security is up to date. Applications and security is so complex these days (take for example Oracle .jar files that should be signed and it has to be sometimes paid for) that many of us use workarounds or even ignore the whole issue, because a) there is no time to actually implement good security measures and managers simple put a lot of pressure on us to do things quickly, not by the book, b) managers have absolutely no clue of the risks and that a security officers/admins should get proper training to make sure they know what they are doing. I've never had a single day of training on this subject, the only time when I learned how things are done was when attending a database administration course for a databaes that only touches the database side of security (database roles and privileges).

    Take the SQL Server security implemenation as an example. I was recently asked to give users access. Before me there were a bunch of people who would not have the knowledge to do it properly (nor would they bother anyway), hence the impression that it's a "simple task". Click, click, click, done. I then mentioned that up till now it was not done properly and database roles should be used. The response was - "let's give them something quickly". With this approach you can forget about doing things properly. No to mention actually to implement database roles can be awkward in SQL-Server, that requires understanding, proper planning and implementation. As SQL-Server is regarded as self-maitaining and simple we have a plethora of non professional admins who think they how to implement proper security measures.

    The only database and application with a properly implemented security approach was an Oracle Database. On a yearly basis we had an audit and any risks were pointed out. Any other database, especially an SQL-Server database was not subject to an audit up till now. Auditing would have forced managers to accept new solutions to secure the database and application. With all the audits I've seen so far (for the past 10 years BTW) not one single one of them would analyze the application point of view, like running the application in a browser leaving vulnarabilities unchecked.

    Just my 2c.

    Richard

  • A good vulnerability test company will rip holes in anything with a weakness.

    The level my team has to deal with is considering vulnerabilities in cloud hypervisors and steps to mitigate those risks.

    We also have to consider conflicts between what should be good practice and what is physically possible. For example certain isolations mean that encryption cannot work because an encryption key cannot be shared across an isolation. If you do try and use the same key it will not decrypt data from the other isolation unit

  • I'm trying to implement better security in the applications at work, but like David pointed out, there are conflicts between good practices and what's realistically possible. I don't want to strike a balance but I have to. I'd rather have everything completely locked down and so tight it would make a snare drum jealous. Of course, it ll atakes time, which is something people don't always give us.

    There's some things I simply won't compromise on, but the nuances mentioned earlier will get you every time. We do well on the regular audits, but knowing what some of the little things are makes me want to fill them. I'm sure there are plenty of things I don't know, but knowing them would probably drive me insane.

    Edit: I'm lucky in that I report to the Chief Information Security Officer. I know other management would benefit from security education. It would likely permeate down to others in the organization, would would only benefit the company as a whole. Education also takes time, which is something that many people don't have. Personally, I think it's worth it, but I guess I'm biased. 😉

  • Gary Varga (1/29/2016)


    SQLRNNR (1/29/2016)


    Jeff Moden (1/28/2016)


    Gary Varga (1/28/2016)


    I am not being facetious here (I know, surprise) but perhaps putting the cyber security education and implementation remit under the Health & Safety umbrella might be all it takes. When it sits with IT it gets ignored, however, H&S rarely seems to be.

    I absolutely agree. That's why I'm considering putting up a sign at my desk that says "Please go away because OSHA has declared that if just one more person rides my a55, I have to install handrails". 😀

    Just handrails or is there a ramp to go with them?

    ...and a ticketing machine???

    Turnstile...

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Jeff Moden (1/29/2016)


    Gary Varga (1/29/2016)


    SQLRNNR (1/29/2016)


    Jeff Moden (1/28/2016)


    Gary Varga (1/28/2016)


    I am not being facetious here (I know, surprise) but perhaps putting the cyber security education and implementation remit under the Health & Safety umbrella might be all it takes. When it sits with IT it gets ignored, however, H&S rarely seems to be.

    I absolutely agree. That's why I'm considering putting up a sign at my desk that says "Please go away because OSHA has declared that if just one more person rides my a55, I have to install handrails". 😀

    Just handrails or is there a ramp to go with them?

    ...and a ticketing machine???

    Turnstile...

    Careful now - that turnstile might turn into a fan and blow paperwork all over the place. Then you'd have the auditors running around your desk, which will only make the situation worse. 😛

  • I'm lucky to have a savvy manager that drives security.

Viewing 15 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic. Login to reply