Computer repair tech AKA Security Expert
-
@Dashrender said:
This makes me think - a second pair of eyes are usually worth having to look at a problem to ensure you dotted all the i's and crossed all the t's.
And that is a big difference between SMBs and the enterprise space. In the enterprise you expect that people are checking on each other, reviewing things, looking over each other's shoulders, etc. In the SMB, you generally assume that it is one person working in a vacuum. You might get to hire someone to review major decisions, but that's rare and only on occasion. In the enterprise, I've seen shops where you have someone looking over your shoulder for every command run in production, every time.
-
@scottalanmiller said:
You don't lock down servers, the server people do that. You don't design a secure network, the network people do that. You don't have anything to do. It's a nonsensical department for all intents and purposes. And hence, probably why they don't exist in the real world. What is a "security expert" really?
I think people think testing what the server and network people did would be a full time job, like the configuration show how would change daily or something
-
@Dashrender said:
is an after thought for most IT folks today.
It vastly depends on the company. It's not for us. We have approx 25 IT staff (We have mostly generalists. I'm the Systems Engineer for the main DC site, which is not at cooperate due to weather/torando's and such ) plus DevOPs to develop our in house software. There is a lot of focus on security but it's not just IT security. Our Parking lots, buildings etc are all gated with armed guard with shacks at every entrance. RFID + PIN are required to get in (at every location, not just this one.)
-
@thecreativeone91 said:
I think people think testing what the server and network people did would be a full time job, like the configuration show how would change daily or something
In theory, in an enormous environment, you might have a few people doing this, in theory. It does not take too many, especially as many environments change very slowly, and often you would want an outside firm doing this just so that there is clear incentive on one side to block them and on the other side to succeed. But this is rare, super expensive and mostly automatable so you don't need a huge team for an amazingly large number of systems.
And what environment is so locked down that they would want to do this? Some, but not many. Most places have known holes and just guess that it is not worth locking them down. In the real world, putting money into securing known issues goes a lot farther than hiring expensive people to sit around full time reminding you that you are paying to know where the holes are rather than having filled the ones you already knew about
But you are completely correct. It seems to be everyone's assumption that it takes an army of specially trained hacker ninjas running around the clock to see if they can break in. As if your environment changes daily and there is always a new way in or a new technique that they just learned about. When in reality, one guy and a script would do 99% of the job.
-
And think about how many things cannot be reasonably secured.... Heartbleed is a great example. You discover you have Heartbleed, so either you wait for a patch and hope for the best or it is available and you patch right away. A security department telling you that things are vulnerable does no good as you would have already known. You just need people to help with the actual patching!
