On Fri, 9 Nov 2007, Steven Osman wrote:

> Well, that's all true, and not to offend anyone on the list or anything,
> but there's a reason that folks who are hired to do PR and marketting are
> not the same folks who are hired to secure networks.

Yes, but from a security perspective you've always got to sort of balance
business growth with what's essentially a fiduciary responsibility to
protect the organization- lots of times from itself.

> We're "reasonably" good at what we do, let's trust that other folks are
> "reasonably" good at what they do, whether we understand it entirely or
> not.

That doesn't mean we let them make strategic network decisions by blindly
allowing their choices.

> It's always easier to just say no to everything, but then nothing gets
> done.

Not much gets compromised either.

A good security practicioner should be able to bring a business case along
with the security case. Not saying "no" might make you popular
internally, but security isn't about popularity, and like it or not for
almost all cases the less you let in, the less risk you assume- so letting
more and newer things in _should_ be an uphill battle.

Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

firewall-wizards mailing list