What Are You Doing Right Now
-
So how would this conversation with the boss go? "Hey, CEO... your auditor is trying to do their job and I don't understand security, but I feel like this auditor is either a risk to my network or undermines my consolidation of power. I'd like to question your hiring this guy and if I should comply with the audit that you paid for or not?"
-
@scottalanmiller said in What Are You Doing Right Now:
@BRRABill said in What Are You Doing Right Now:
I think it's perfectly ok to question a request as opposed to just blindly doing it because you were ordered.
If by question you mean "double check with the boss and voice your concerns until he makes it clear you are to follow orders?" Okay, that's how you can handle that if you have that much authority. Anything past that, and you are insubordinate. It's NOT okay to refuse to follow orders. Questioning and refusing are very different things.
That's all I meant.
If the boss said "hey erase all the files on the network" I'd definitely question and fight, and perhaps ultimately never do it and quit first.
But yes, his network, his rules.
I was reacting to you saying
"Other than verifying that this isn't a scam and that the owners/CEO or whoever is running IT did in fact authorize this, IT has NOTHING to say here - this is not their right to assess. "I disagree that you can't assess a request and go back to the CEO (or management) and voice concerns.
-
@wirestyle22 said in What Are You Doing Right Now:
Most companies don't even know how to fill out a proper job description but the expectation is they will know how to properly vet a third party company?
I hate to tell you this, but:
- This automatically means that they were unable to vet the internal parties too. So the internal IT would demonstrate that they can't be trusted automatically by triggering this line of thinking.
- This isn't IT's concern. Period.
-
@scottalanmiller said in What Are You Doing Right Now:
So how would this conversation with the boss go? "Hey, CEO... your auditor is trying to do their job and I don't understand security, but I feel like this auditor is either a risk to my network or undermines my consolidation of power. I'd like to question your hiring this guy and if I should comply with the audit that you paid for or not?"
I'm talking about the initial hiring process. I can absolutely understand hesitation consider the company has no idea what they need or how to vet. After you hire a company though I completely agree with you.
-
@BRRABill said in What Are You Doing Right Now:
If the boss said "hey erase all the files on the network" I'd definitely question and fight, and perhaps ultimately never do it and quit first.
What employee logic leads to that?
-
@wirestyle22 said in What Are You Doing Right Now:
I'm talking about the initial hiring process. I can absolutely understand hesitation consider the company has no idea what they need or how to vet. After you hire a company though I completely agree with you.
Right, and the situation here is that the audit is already underway.
-
@scottalanmiller said in What Are You Doing Right Now:
@BRRABill said in What Are You Doing Right Now:
If the boss said "hey erase all the files on the network" I'd definitely question and fight, and perhaps ultimately never do it and quit first.
What employee logic leads to that?
I can already tell what path this argument is leading down. LOL. I've said my peace.
-
@scottalanmiller said in What Are You Doing Right Now:
@BRRABill said in What Are You Doing Right Now:
If the boss said "hey erase all the files on the network" I'd definitely question and fight, and perhaps ultimately never do it and quit first.
What employee logic leads to that?
What logic leads to employees having logic?
-
@BRRABill said in What Are You Doing Right Now:
I was reacting to you saying
"Other than verifying that this isn't a scam and that the owners/CEO or whoever is running IT did in fact authorize this, IT has NOTHING to say here - this is not their right to assess. "I disagree that you can't assess a request and go back to the CEO (or management) and voice concerns.
What would those concerns be? That the audit is real? That the CEO did actually authorize it?
Any "concerns" past that are not really appropriate, right? What possible "concern" is there here that is legitimate to bring up realistically?
-
@wirestyle22 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@BRRABill said in What Are You Doing Right Now:
If the boss said "hey erase all the files on the network" I'd definitely question and fight, and perhaps ultimately never do it and quit first.
What employee logic leads to that?
What logic leads to employees having logic?
Given that that is the primary value in an IT employee....
-
@scottalanmiller said in What Are You Doing Right Now:
@BRRABill said in What Are You Doing Right Now:
I was reacting to you saying
"Other than verifying that this isn't a scam and that the owners/CEO or whoever is running IT did in fact authorize this, IT has NOTHING to say here - this is not their right to assess. "I disagree that you can't assess a request and go back to the CEO (or management) and voice concerns.
What would those concerns be? That the audit is real? That the CEO did actually authorize it?
Any "concerns" past that are not really appropriate, right? What possible "concern" is there here that is legitimate to bring up realistically?
In THAT particular situation, you are correct. I am arguing against the concept that IT should never question orders or raise concerns.
-
@BRRABill said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@BRRABill said in What Are You Doing Right Now:
If the boss said "hey erase all the files on the network" I'd definitely question and fight, and perhaps ultimately never do it and quit first.
What employee logic leads to that?
I can already tell what path this argument is leading down. LOL. I've said my peace.
But you see my concern? If that's the reaction of said employee, you should be terrified that they have the keys to the kingdom. That they feel that their own emotional ownership of the network is so important that they would quit (or worse, attempt to seize control) rather than do their jobs is a HUGE risk and something we should specifically never see in someone we need to trust in an IT position.
A security audit looking for that very reaction would be a good one to have, in fact.
-
@scottalanmiller said in What Are You Doing Right Now:
@wirestyle22 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@BRRABill said in What Are You Doing Right Now:
If the boss said "hey erase all the files on the network" I'd definitely question and fight, and perhaps ultimately never do it and quit first.
What employee logic leads to that?
What logic leads to employees having logic?
Given that that is the primary value in an IT employee....
Only if they listen to you. If they don't listen you have virtually no value
-
@BRRABill said in What Are You Doing Right Now:
In THAT particular situation, you are correct. I am arguing against the concept that IT should never question orders or raise concerns.
A security audit is a very specific thing. Trying to hold back security information from an audit... it's a bit ridiculous. There are concerns, but I addressed concerns. Now it is questioning the CEO's decision to question IT. That's quite the thing to question.
-
@wirestyle22 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@wirestyle22 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@BRRABill said in What Are You Doing Right Now:
If the boss said "hey erase all the files on the network" I'd definitely question and fight, and perhaps ultimately never do it and quit first.
What employee logic leads to that?
What logic leads to employees having logic?
Given that that is the primary value in an IT employee....
Only if they listen to you. If they don't listen you have virtually no value
Actually not quite. There is still value in employees that do their job. The issue here is that emotions can make IT not even do the job that they are required to do!
-
Have to keep perspective that IT is to Support the Business, not be the Business. If there is a request by a 3rd party for additional security information, then all we can do is verify the request by the CEO. Anything else past that, and we're being insubordinate. We need to assume that the CEO has vetted the 3rd party and that the 3rd party will properly keep our information safe, secured, and not to use it maliciously.
-
We had a curious situation of bringing in some auditor for accounting stuff, which included having to answer questions about our network (password policies, what applications are run on what servers, who supports them, NFTS permission settings). I was also given a template for the expected answers, which was basically answers from another company they've audited -- I can't remember whether or not the name of the company was on the template. I thought it was a bit odd to for that information to be needed, so I raised the question with the CEO. Once I knew the CEO was aware this information was being requested, I shut my trap and completed the documentation.
-
@travisdh1 @scottalanmiller In restrospect, I could've probably been smoother in voicing my concern. I wasn't reprimanded, but it made me finally accept that my job really isn't to protect our network from the company, but rather do the company's bidding to the network.
-
I think verifying with the CEO is important to IT because if the auditor does do something shady, like pwn your whole network, then IT gets to do the cleanup (and take the blame sometimes, because what CEO will admit they did something wrong?). I don't see any issue with making sure the C-levels are aware and on board before you just hand over info to some outsider.
-
@RojoLoco said in What Are You Doing Right Now:
I think verifying with the CEO is important to IT because if the auditor does do something shady, like pwn your whole network, then IT gets to do the cleanup (and take the blame sometimes, because what CEO will admit they did something wrong?). I don't see any issue with making sure the C-levels are aware and on board before you just hand over info to some outsider.
And I said that... that confirming that the audit was real and really authorized. I even mentioned handing the "hot potato" documents up the chain to be handed over to ensure that someone closer to the relationship did the hand over.