![]() That's despite the fact that NIST is leagues ahead of any other security guidance I've seen (outside of vendor specific stuff) and works with the larger security community to make excellent and somewhat accessible resources for most aspects of cybersecurity. I worked for an electric company under NERC CIP but came from a FISMA background and whenever I would bring up NIST my coworkers looked like I just tried to bring up my star sign at an astronomy convention. Oddly, the NIST 800 series is often looked down on in certain critical infrastructure sectors that have more specific compliance frameworks. throw the sysadmin under the bus before even considering that they were the person not allowing time or money to be put into securitng the system. theres soulless people, pushing away responisbility, fights over power, and the people wanting responsibility and winning power (usually what comes closest to ceo) will be in it for politic reasons, and fight fallout with tooth and nail, i.e. Infrastructure like waterplants, its usually government controlled. in other words, you say "you really should have a password in your phone, if you lose it, someone can access all your data, which is a nightmare because a b and c" - and if they still chose to ignore you, they will lose phone, get hacked, money stolen from, dragged through the news, lose business and the ceo dumped. and they will, should, in a self correcting marketplace, be punished for it, and disappear. and bad ceos/management either hires bad people, or listens to bad advise, or dont listen to good advise, or ignore knowledge, or are grossly misjudging risk. and to be honest, I would even go as far as argue that "your" job is to accurately present the choices, not make them. requests, even over your objections, well, usually that is in the free marketplace. Not saying you are wrong, but ceos and upper management with their. I dont think that applies here entirely either. and I also dont think it would be as bad as what we see here if those places had on location full time sysadmins / security personal employed, and would not operate on decade old systems are good enough, and bob from down the road can set it up just fine I dont think the issue would persist if a mandate would dictate what will be done or not. and not so much "dont care", unless you count "not believing in necessity" as "not caring" I honestly believe, its a mix of multiple cooks, with a big helping of budget issues, lack of knowledge, advertising lies, permanent temporary fixes, information flow. then there is the other computer guy who is talking about "bugs", but who would chose us? and then there is the bigger boss who said he needs to X, and then there is the team Y that complains that driving on location is just stupid, so why not give them access. theres this guy doing this computer stuff, that is talking about "hackers". I am sure, the people involved, and persons making decision do care.īut. I am not sure "not care" is the right word.
0 Comments
Leave a Reply. |