Or: when not to swat flies with a Buick. So hi ho, hi ho, onto my soap-box I go.
At one point, someone at one of my early employers decided that I would be “the security expert.” OK, fine. I attended a meeting with a manager in Germany. At the time, a group of people within the company was attempting to leverage a combination of their excellent and pioneering security and cryptography products, as well a relevant selection of Internet solutions from external suppliers. Among these was the then-brand-new Netscape proxy server. My meeting partner immediately began to enthuse about the possibilities of monitoring the activities of all employees, monitoring this, logging that, etc. etc. etc. I had to bring him down from his tree and remind the guy that if your people are spending all day looking at porn, that’s a leadership and motivation issue that you can’t solve technically.
Shortly thereafter, when I installed the first of these things at a client site, I left their brand-new leased line up and running, and had the proxy log connections as a test. The next morning I noticed a huge amount of logs; as it turned out, one of the IT guys had stayed late and downloaded inordinate amounts of fairly nasty porn. My client’s IT manager had made it clear that he was of the same persuasion as the German colleague described above; the staffer would doubtlessly have been fired, so I asked a colleague of his to quietly inform him that all connections were being logged explicitly as of now, and deleted the logs (this was before we handed over the infrastructure so I wasn’t technically outside my authority.) I don’t suppose he did it again, and I still think this approach was better than costing the man his job over some naked girls and farm animals and whatnot.
In the meantime, I have gotten into numerous discussions about this and similar topics. What I call the “powerpoint mentality” often seems to take hold of many managers of all backgrounds, ranging from freshly promoted former engineeers to MBAs from top schools with years of experience. By this, I mean that frequently things look good in a theoretical presentation, but in real life they break down. The main culprit among these is the habit of small minds and bad leaders to try to quantify what they do not understand, such as human nature. When you quantify something, you can start to restrict it so it fits your world view. Unfortunately, it often leads you to neglect responsibility for intangible issues that you just have to play by ear based on skill and experience–in German, this is called “Fingerspitzengefuehl”, or “finger-tip feeling.”
I see parallels to the discussion about limiting sysadmin privileges. To my discredit, I am prone to lumping this argument in with the category of “control-freak managers.” I shouldn’t do that, as there are good reasons for proper privilege separation and audit trails. However, my bugaboo with this is that it very often (a) goes to extremes, seeking to artificially restrict and control what a sysadmin does (in direct contravention of one of my rules of Getting Stuff Done: “hire good people, pay them a lot of money, and trust them.” Within reason, of course.) And (b) lets crappy management off the hook by focusing on technical staff as the primary threat to the enterprise. I tend towards inexcusable knee-jerk reactions, not being very informed about statistics of privilege abuse by technicians, and having seen far too many incidents of managerial abuse of privilege not to be cynical whenever the topic comes up.
At risk of ranting and rambling, I’d like to draw a parallel to security professionals uncovering incriminating evidence on other employees, and being informed by HR either that no action be taken due to the “suspect’s” standing (i.e. a profitable trader), or that employment and privacy laws be knowingly broken in the course of the investigation, as the potential fine, should this violation be discovered, would be far outweighed by the likely financial loss to the company if the incident were not investigated with all available means. All this in all likelihood (no paper trails please) with the tacit knowledge of C-level executives. I’m aware of both of numerous occurrences of both of these.
I leave it as an exercise to you, dear reader, to decide where the line lies between restricting and auditing employee and sysadmin activity, and doing the same for managers who seem to have trouble with basic right and wrong.
Recent Comments