Senior Manager vs Information Security Fun#3 - on cloud services

1 year ago, in a ABC company not too far away....

Senior Manager mate: <*talking to the Board members*> I'm pleased to announce that we managed to save 100K by outsourcing our storage place to cloud service provider JKL... with this, we also reduce our IT spending as we don't need as many IT support personnel for our IT system as before. Another advantage is that, now we can access our data anywhere and anytime.... blah..blah...

6 months ago, in that very same ABC company.....

Senior Manager mate: <*talking to the Board members*> I'm pleased to announce that we managed to save another 50K by moving to another cloud service provider FGH.... blah.. blah..

3 days ago, still at that ABC company....

Information Security lad: Senior Manager sir, have you read the headlines today? It says "DEF company found ABC company data on JKL's cloud storage assigned to them"......

Share - 5 Scary Types of Security Professionals You Will Meet in Your Career

This one is written by a good friend of mine. It's a great piece and I'm certainly of the same view :)

5 Scary Types of Security Professionals You Will Meet in Your Career - by Adriano Dias Leite

5 – The NO-Master
4 – The By-The-Book Preacher
3 – The Dinosaur
2 – The Technology-Solves-It-All
1 – The paranoid

Which one are you? ;) 

My 2 cent: 4 – The By-The-Book Preacher reminds me of certain external auditor that like to quote "according to this ISO standard... according to this "statement" blah blah blah.... no wonder people hate auditors and opined that they are just bunch of stupid fella...

Read more here - http://www.myinfosecjob.com/2012/04/5-scary-types-of-security-professionals-you-will-meet-in-your-career/

Ain't security fun? ;)  

Fun with Lock Screen Policy

This one is based on a true story.....

Information Security lad: <* walking around the building and saw that most of the staffs "forgot" to lock their workstation's screen while they are away from their desk *> hmm.... I have sent many bulletins and reminders regarding this, but seems like they still don't get it. I have to do something.... I think my HR sis can help...

Information Security lad went to his HR friend and they work out an awareness "campaign"....

3 days later...

Information Security lad: <* walking around the building and saw a PC left without screen lock. He quickly sat down and open the email program *>. This going to be fun... I'm going to write an email...

Information Security vs Senior Manager Fun#2 - Admin right for "VIP" user

Here is another deja vu.....

Senior Manager mate: Love, have you got that report finished? I need it before lunch to present it to the Board.
Personal Assistant love: Sir, not yet. I tried to install that reporting software you gave me but it just failed... I tried it many time but it keeps telling me something like "insufficient right"... hell I know what's that mean...

Senior Manager mate:  Ah... I remember that.. something to do with admin right that IT folks set. Why these IT folks keep making my life harder each day!  <*picking up the phone and call the IT Supplier chap*> Can you come here immediately? I need you to install a reporting software on my PA's PC immediately.
<* IT Supplier chap arrived 5 minutes later*>

Senior Manager mate: Give my P.A the admin right. I need her to do other reports with other software and I don't like the need to call you every time I need to do so. I insist.
IT Supplier cap: If that you want Sir, please sign this admin right request form.... but before that, you should know that having admin right could increase the risk of virus infection....
Senior Manager mate: <* interrupting IT Supplier chap*> Yeah.. I know all that stuff... just get it done now!

Information Security vs Senior Manager Fun#1 - on BYOD

6 months ago...in a XYZ company far far away..

Senior Manager mate: You security guys put tons of security stuffs on my Windows laptop. It takes 15 minutes just to boot-up. Now you are telling me you want to put another piece of compliance software inside? Damm! I don't want to use this Windows shit anymore. See my Mac there. There is no virus attacking Mac. Mac is safe and in less than 5 minutes, I can already use it.
Information Security lad: Sir, the security software were installed to ensure your laptop is secure.. blah..blah.....
Senior Manager mate: Nah! I'll just use my Mac and iPad. Anyway, I know that BYOD policy has been approved as I'm part of the reviewer.
Information Security lad: In that case, please sign this exception form sir... <* explaining the risk of BYOD etc etc and in his head: well, I've done my job, I told you the risk and you accept it, I'm just gonna move on *> 

3 days ago.... still in that far far away XYZ company...

Business IT vs IT Supplier Fun#1 - who should set security expectations?

IT Demand vs IT Supply

 
Business IT bloke: Security? I thought you as our IT Supplier supposes to provide all this security protections by default. I paid you guys lots of money!
IT Supplier chap:  Security? We only provide the basic one. That project manager of yours didn't tell us he wanted more. Furthermore, it's not in the SLA. So, we are not obliged to do so.
Information Security lad:  <*smirking....and having fun inside*>

Deja vu! Right? I'm sure, many of you as a CISO, Information Security Manager, Consultant or Professional have had the luxury to witness this kind of argument within your organization, especially when you are working for a conglomerate that adopt IT Demand and IT Supply model (yeah...Mckinsey's stuff).

Now, as a season Information Security Professional, what would be your advice? What would be the best practice (ain't we all infosec guyz like to quote best practice?)