I worked in security for a while, but luckily on the vendor side and not the consumer side. The old yarn in that area is when everything (security wise) is fine, management asks you "What are we paying you for?". When it inevitably turns pear shaped they ask, "What are we paying you for?"
Many years ago I had a fascination with security and fancied becoming the CISO for the multinational I was working for at the time - my boss at the time, the CIO, said the role would really have no power and would be there as a sacrificial lamb should there actually be a serious security breach. This rather put me off the idea.
On the flip side, some companies have gone to extremes. I now have to MFA and provide a pin-code to authenticate. I have to do this several times a day. It's fucking mind-boggling how I can get anything done in a day when I spend so much time verifying who I am. I'm waiting for the next innovation...require a drop of my blood to log in.
Why is that extreme? I have to provide a pin code using MFA to my bank to authenticate, and their sessions are a lot shorter than your average developer or operator session.
And their actions impact far more than just my own account. Is it inconvenient? Yes. Does it work? Yes. Is it perfect? No, absolutely not but it is a useful layer in the cake.
Requiring a user to MFA once per day per device is normal for a work account - but that's already a lot compared to services like gmail.
After all, workers are mostly working in an access-controlled office or their private home; and your endpoint protection will be ensuring they're connecting from a company-issued laptop and that they have screen lock on a timer and a strong password.
I'm already validating something-they-know (FDE password) and something-they-know (OS password) and something-they-know (SSO system password) and something-they-have (company laptop). And once a day I'm validating another something-they-have (TOTP code/Yubikey).
Asking people to provide the second something-they-have several times a day seems like security theatre to me.
In retrospect, after the 2008 crash in the finance world how the role of a CISO was described to me sounded an awful lot like risk officers in a lot of financial organisations.
I've seen this go from bad to worse. A company had a bad project manager they couldn't get rid of, and required a security person by law, so they promoted him. The idea was he would get kicked out of the company the next time a security boo boo happened.
It went a lot worse. The guy had no idea about security and no common sense, and did genius things like forbidding encryption in the name of security (so the network people would be able to do packet inspection for monitoring security). But he created a morass of paperwork, and made it impossible for any project to make any kind of progress without involving security. End user computers slowed to unusable speed as he threw in more and more snake oil security software. As his rules were vague, dumb, self-conflicting and very very time consuming, nobody followed them, so he could always point to someone not following the rules when a security boo boo happened. He grew his department like a mushroom, wasted huge amounts of money, and entrenched himself completely, all based on sweet talk and complete nonsense. I've learned a lot about office politics watching him.
I worked in security for a while, but luckily on the vendor side and not the consumer side. The old yarn in that area is when everything (security wise) is fine, management asks you "What are we paying you for?". When it inevitably turns pear shaped they ask, "What are we paying you for?"
Fun times.
It's a variation on the prevention paradox.
Many years ago I had a fascination with security and fancied becoming the CISO for the multinational I was working for at the time - my boss at the time, the CIO, said the role would really have no power and would be there as a sacrificial lamb should there actually be a serious security breach. This rather put me off the idea.
On the flip side, some companies have gone to extremes. I now have to MFA and provide a pin-code to authenticate. I have to do this several times a day. It's fucking mind-boggling how I can get anything done in a day when I spend so much time verifying who I am. I'm waiting for the next innovation...require a drop of my blood to log in.
Why is that extreme? I have to provide a pin code using MFA to my bank to authenticate, and their sessions are a lot shorter than your average developer or operator session.
And their actions impact far more than just my own account. Is it inconvenient? Yes. Does it work? Yes. Is it perfect? No, absolutely not but it is a useful layer in the cake.
Requiring a user to MFA once per day per device is normal for a work account - but that's already a lot compared to services like gmail.
After all, workers are mostly working in an access-controlled office or their private home; and your endpoint protection will be ensuring they're connecting from a company-issued laptop and that they have screen lock on a timer and a strong password.
I'm already validating something-they-know (FDE password) and something-they-know (OS password) and something-they-know (SSO system password) and something-they-have (company laptop). And once a day I'm validating another something-they-have (TOTP code/Yubikey).
Asking people to provide the second something-they-have several times a day seems like security theatre to me.
Your comment should be required reading for any CISO that finds themselves without mandate, budget or support from upper management.
In retrospect, after the 2008 crash in the finance world how the role of a CISO was described to me sounded an awful lot like risk officers in a lot of financial organisations.
Head of Quality Assurance is often also treated as ablative armor for existing management.
That's a very poetic description.
The Risk Management manager character played by Demi Moore in the "Margin Call" movie is another example of this in the financial industry.
Awesome movie.
I've seen this go from bad to worse. A company had a bad project manager they couldn't get rid of, and required a security person by law, so they promoted him. The idea was he would get kicked out of the company the next time a security boo boo happened.
It went a lot worse. The guy had no idea about security and no common sense, and did genius things like forbidding encryption in the name of security (so the network people would be able to do packet inspection for monitoring security). But he created a morass of paperwork, and made it impossible for any project to make any kind of progress without involving security. End user computers slowed to unusable speed as he threw in more and more snake oil security software. As his rules were vague, dumb, self-conflicting and very very time consuming, nobody followed them, so he could always point to someone not following the rules when a security boo boo happened. He grew his department like a mushroom, wasted huge amounts of money, and entrenched himself completely, all based on sweet talk and complete nonsense. I've learned a lot about office politics watching him.
We had a meaningful amount of {industrial accident happened} added to the pipeline every year. We made outdoor lighting.
Serious injuries or deaths is a terrible feeling, even if the end result was better safety for the rest of the workers.