SwiftOnSecurityA commonly-misunderstood aspect of computer security is that you are battling computers.
No. That is not right at all. Computers are barely involved.
You are battling humans who eat apathy and coordination problems.
I tell the story often but in the beginnings of my career in IT I was fascinated by stories of 0days by state actors. And I worried about them.
As our entire client base was XP SP2 with zero governance and many machines shared huge groups of local admins. Some of them made Authenticated User a local admin.
And I sat there and I was worried about foreign military 0days. Perspective later is hell of a thing.
The reason IT Security is so hard is someone has to do it. That's the answer.
That is not a technical challenge it is an interpersonal one.
Do you know how many smart people there are trying their very best? You think it would be deluged in security.
But it's not. This is a personal problem and that's what ruins everyone that tries it.
bigiain@SwiftOnSecurity I've just been through ISO 27001 certification. It's _mostly_ boilerplate required documentation, but I did allow me to at least push some of the "IT Security" changes I'd been advocating for years for, but which had perviously always been deprioritised to "we'll get to that sometime after the heat death of the inverse". It's nice to have IT Security (and ISO certification) show up as procurement requirements and suddenly become "the most important thing!!!" to keep the money pipe open.
Alpine Tocsins@bigiain there's talk of going through that here -- one of the issues is BYOD vs "choose your own device" and management. Was that a big factor for you?
@nonspecialist I chose to go kinda minimal on the device management stuff. You can do that so long as you document those choices. We’ve only ended up with a device monitoring tool that checks for four things - he encryption, screen lock (with password unlock), existence of an installed password manager (we use 1Asseird) and, umm, something rise I’m not gonna try remember this n a friday afternoon. ;-)
Do you need a “CSIO with experience reaching ISO27001 certification”? I could be tempted away pretty easily. Even without a C(whatever) title…
@bigiain mmmmm .... maybe? LMK if you're serious, it's a role I don't want to do but in the absence of anyone else, am likely to end up in
@nonspecialist I am fairly serious? Leaning well towards very serious if the role and engagement feels like a good fit? (Anbd by that I mean that I'm 59 in February, so any career change I make now is likely (I hope) to be the last one so I'll be looking for something that looks like it could be a 5/6 year stretch rather than a 6-12 month contracting gig that'd require me to go job-hunting again next year. I can easily work out to retirement here if I just suck it up and deal with the mundanity, but something new, exciting, and potential long-ish term could easily tempt me away.)