The advantage that S-OX and other pressure gives the truly impeccable pro is that it gives him/her an edge while convincing people to agree to changes. A truly impeccable pro in the average organisation has spent years ruing the fact that management doesn't allow him/her to make the changes needed - now its finally time to make all that happened.
However, the "disadvantage" is the pressure on the pro to perform. A small mistake could be a fatal one.
While this is true, I still find many "required" security changes falling to the wayside due to cost or "that (hack or misuse) will never happen." The way I protect myself is to document, in writing, the risks and the recommended remediation. Depending on the assets at risk, I might go up the ladder a few hops. That way, the CIO can't say, "If I would have known that, I would have mitigated it." Also, even if my recommendations get ignored (mgmt calls it "accepting the risk" *), I've done my job.
Basically, it's my job to review the situation, understand the business needs, and attempt to define the risk, the probability, and the estimated loss. Once I pass that on with my recommendations, I've done my job--it's management's job to manage: accept, mitigate, or transfer the risk.
Remember that next time you don't get any tractions: Just say "My job is to determine the risk and the remediation; management's job is to decide what to do." That way, I come out smelling like a rose. And, I've transferred the responsibility from my backside to management's backside.
* Accepting the risk -- I like to remind my mgmt that they can't accept what isn't documented and understood. If they don't take the time to truly understand the business impact of such a decision (what's the business case), they haven't accepted anything--they've ignored it.
May sound kind of wierd, but in a sense an IT license. My fathers work decided to put in wireless, thats great. He walked down to computer store, bought a netgear, plugged it in, and was very happy when he had harnesses technology to work w/o a problem. We both know what he's neglected to discover.
Too many people are using technology when it really shouldnt be, ie, online banking shouldnt become available for another year or two, imo. For the fact, the majority users are sending their details to other people without realising its even possible.
I disagree. Wireless equipment (I'll use one of your examples) comes with a manual that encourages users to take security precautions and then provides step-by-step procedures. Most folks just don't take the time to read the manual (there's the weak PEOPLE link again).
Now you could say that the average Josephine can't understand WEP encryption (or whatever the security suggestions are) or can't follow the documentation to implement it. But that does not absolve them of the responsibility. If you have a manual (even a poor one) that notes the security issues, you are not
UN-INFORMED. You ARE informed, you just don't know how to make it work.
So most folks take the easy way out and say IT WILL NEVER HAPPEN TO ME!
The fact that technology is hard to understand DOES make fewer people use it when it comes to security. So lazy or computer-illiterate folks should never use wireless? NO! When your main sewer drain is plugged, do you stop using water and the toilet in your house? NO! You call an expert to fix the problem.
If you're too lazy to do it right or can't afford an expert (or don't know a friend who can do it), then I agree that you should not use the technology. But that's not the technology's fault---sure it could be simplier--but the person makes the decision on what to do (or ignore).
[Whoa, anyone notice my hot button? Sorry for the long drawl. If you're all smart, you'll just agree with me so we can all get on with our lives. Otherwise, I have a lot of debate left in me (and I won't give up, not by the hairs on my chinny-chin-chin).]
online banking shouldnt become available for another year or two
What do you have against online banking? Are you saying the security isn't available? I think that it's just not properly implemented. I will be as bold to say that banking online with banks that do security right is more secure than banking in person (uh oh
). And the same is true with using your credit card online vs. in person.
GSecur, you've tested a lot of banks. Your opinion?