Watch your back, but DO YOUR JOB!
Bear with me here.
I drove a tank in my Army days, and one of the things I learned was that the M1A1 Abrams tank was built with a low profile so it would be less visible to the enemy. But notice one word in that sentence: enemy. You don’t build it with a low profile to be less visible to your allies because you don’t expect them to be shooting at you.
The same principle is true in security. You build your infrastructure with a low profile so as to avoid attacks. You shouldn’t rely solely on a low profile, but it is a good layer. And again, you are putting these measures in place to protect against baddies, not your friends.
Now, in the first scenario, friendly fire sometimes happens. You put things in place to minimize this from happening. In the second scenario, this type of friendly fire happens when an insider unmaliciously screws up. You also put up defenses in a network to protect against dumb users.
But what happens when you are maliciously attacked by your “friends”? Well, good commanders make sure they have defenses against this as well. But you really don’t put in major defenses against this scenario. It is not a common enough occurence on which to spend a high amount of resources. (A point to note: in war, if an ally becomes a turncoat and shoots at their own side, it is not termed “friendly fire”)
Here’s where I am going with this. Martin McKeay linked to this article in this post. It is the nightmare of nightmares for a security manager: Asking the powers-that-be to invest in security then getting fired because they didn’t invest and your security got breached. Bad, bad stuff.
But in the very first comment to the post, a commenter said, “He pushed too hard to do the right thing and made himself too visible and unpopular.” High visibility may have got this guy fired. Only that security manager and the CEO know whether this is actually what happened. But that doesn’t matter. What matters is that the advice the commenter is basically giving is to keep your head down and do your job. This flies directly in the face of some of my recent advice on my series for making yourself a more successful security manager / admin.
I will stick by my advice: make yourself visible, let others know what you are doing. I have never said push until you piss someone off, but that will happen sometimes. It may have got this guy fired, but if he had not pushed and documented that he pushed, do you think he would have a chance in H-E-Double-Hockey-Sticks to bring suit against his previous employeer? Nope.
So, protect against the attack, remain visible, and watch your back. Don’t try to get along just to keep your job. I would rather DO my job than just kEEP it. But that’s just me.
Vet
