What Are You Doing Right Now
-
@scottalanmiller said in What Are You Doing Right Now:
@BRRABill said in What Are You Doing Right Now:
I was reacting to you saying
"Other than verifying that this isn't a scam and that the owners/CEO or whoever is running IT did in fact authorize this, IT has NOTHING to say here - this is not their right to assess. "I disagree that you can't assess a request and go back to the CEO (or management) and voice concerns.
What would those concerns be? That the audit is real? That the CEO did actually authorize it?
Any "concerns" past that are not really appropriate, right? What possible "concern" is there here that is legitimate to bring up realistically?
In THAT particular situation, you are correct. I am arguing against the concept that IT should never question orders or raise concerns.
-
@BRRABill said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@BRRABill said in What Are You Doing Right Now:
If the boss said "hey erase all the files on the network" I'd definitely question and fight, and perhaps ultimately never do it and quit first.
What employee logic leads to that?
I can already tell what path this argument is leading down. LOL. I've said my peace.
But you see my concern? If that's the reaction of said employee, you should be terrified that they have the keys to the kingdom. That they feel that their own emotional ownership of the network is so important that they would quit (or worse, attempt to seize control) rather than do their jobs is a HUGE risk and something we should specifically never see in someone we need to trust in an IT position.
A security audit looking for that very reaction would be a good one to have, in fact.
-
@scottalanmiller said in What Are You Doing Right Now:
@wirestyle22 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@BRRABill said in What Are You Doing Right Now:
If the boss said "hey erase all the files on the network" I'd definitely question and fight, and perhaps ultimately never do it and quit first.
What employee logic leads to that?
What logic leads to employees having logic?
Given that that is the primary value in an IT employee....
Only if they listen to you. If they don't listen you have virtually no value
-
@BRRABill said in What Are You Doing Right Now:
In THAT particular situation, you are correct. I am arguing against the concept that IT should never question orders or raise concerns.
A security audit is a very specific thing. Trying to hold back security information from an audit... it's a bit ridiculous. There are concerns, but I addressed concerns. Now it is questioning the CEO's decision to question IT. That's quite the thing to question.
-
@wirestyle22 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@wirestyle22 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@BRRABill said in What Are You Doing Right Now:
If the boss said "hey erase all the files on the network" I'd definitely question and fight, and perhaps ultimately never do it and quit first.
What employee logic leads to that?
What logic leads to employees having logic?
Given that that is the primary value in an IT employee....
Only if they listen to you. If they don't listen you have virtually no value
Actually not quite. There is still value in employees that do their job. The issue here is that emotions can make IT not even do the job that they are required to do!
-
Have to keep perspective that IT is to Support the Business, not be the Business. If there is a request by a 3rd party for additional security information, then all we can do is verify the request by the CEO. Anything else past that, and we're being insubordinate. We need to assume that the CEO has vetted the 3rd party and that the 3rd party will properly keep our information safe, secured, and not to use it maliciously.
-
We had a curious situation of bringing in some auditor for accounting stuff, which included having to answer questions about our network (password policies, what applications are run on what servers, who supports them, NFTS permission settings). I was also given a template for the expected answers, which was basically answers from another company they've audited -- I can't remember whether or not the name of the company was on the template. I thought it was a bit odd to for that information to be needed, so I raised the question with the CEO. Once I knew the CEO was aware this information was being requested, I shut my trap and completed the documentation.
-
@travisdh1 @scottalanmiller In restrospect, I could've probably been smoother in voicing my concern. I wasn't reprimanded, but it made me finally accept that my job really isn't to protect our network from the company, but rather do the company's bidding to the network.
-
I think verifying with the CEO is important to IT because if the auditor does do something shady, like pwn your whole network, then IT gets to do the cleanup (and take the blame sometimes, because what CEO will admit they did something wrong?). I don't see any issue with making sure the C-levels are aware and on board before you just hand over info to some outsider.
-
@RojoLoco said in What Are You Doing Right Now:
I think verifying with the CEO is important to IT because if the auditor does do something shady, like pwn your whole network, then IT gets to do the cleanup (and take the blame sometimes, because what CEO will admit they did something wrong?). I don't see any issue with making sure the C-levels are aware and on board before you just hand over info to some outsider.
And I said that... that confirming that the audit was real and really authorized. I even mentioned handing the "hot potato" documents up the chain to be handed over to ensure that someone closer to the relationship did the hand over.
-
@scottalanmiller said in What Are You Doing Right Now:
@RojoLoco said in What Are You Doing Right Now:
I think verifying with the CEO is important to IT because if the auditor does do something shady, like pwn your whole network, then IT gets to do the cleanup (and take the blame sometimes, because what CEO will admit they did something wrong?). I don't see any issue with making sure the C-levels are aware and on board before you just hand over info to some outsider.
And I said that... that confirming that the audit was real and really authorized. I even mentioned handing the "hot potato" documents up the chain to be handed over to ensure that someone closer to the relationship did the hand over.
At least to include the higher ups in the hand over, in something such as an email or a meeting or something.
-
If you are afraid of an audit, then you probably shouldn't work there.
-
@Dashrender said in What Are You Doing Right Now:
If you are afraid of an audit, then you probably shouldn't work there.
That's kind of a bad mindset isn't it?
No one willfully wants to go through an audit, but people plan for it and do it.
Just because one is afraid of the audit, doesn't mean they are doing something wrong or illegal. Maybe they just have super poor documentation.
-
@Dashrender said in What Are You Doing Right Now:
If you are afraid of an audit, then you probably shouldn't work there.
I agree. Although the OP doesn't see to be afraid of the audit in a general sense. Just this one part of it. It's a weird part, IMHO. Like it feels like one of the most obvious things that they would need AND very benign.
-
@DustinB3403 said in What Are You Doing Right Now:
No one willfully wants to go through an audit, but people plan for it and do it.
Sure we do. Good departments should want audited.
President of Brasil literally demanded he be audited yesterday!
-
@DustinB3403 said in What Are You Doing Right Now:
Just because one is afraid of the audit, doesn't mean they are doing something wrong or illegal. Maybe they just have super poor documentation.
Isn't poor docs doing something wrong
-
@scottalanmiller said in What Are You Doing Right Now:
Isn't poor docs doing something wrong
Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.
@scottalanmiller said in What Are You Doing Right Now:
Sure we do. Good departments should want audited.
President of Brasil literally demanded he be audited yesterday!
No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.
-
@Dashrender said in What Are You Doing Right Now:
If you are afraid of an audit, then you probably shouldn't work there.
I actually (despite my griping) liked having a SAM license engagement one time. It gave weight to my "f0 r3@lz, properly licensing software matters."
-
@DustinB3403 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
Isn't poor docs doing something wrong
Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.
But in that case, you'd not care that you were audited, either.
-
@DustinB3403 said in What Are You Doing Right Now:
No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.
Did he get blindsided? I didn't notice that part.