Peculiarities of national information security
Rereading one discussion in the Ukrainian group of information security specialists on LinkedIn, I could not resist and expressed my thoughts on a small article. After a couple of timid comments, the moderator closed the topic, because in his opinion it does not lie in the IB plane. I do not think so. That's actually what I think about this.
Business ethics (I'm not talking about morality, morality is a little different) - what is it? Why do you need it? How to use it? How do you monetize the ethics of your business? After nearly two years ago, several fairly large banks fell down, the problem of business ethics began to spill a little, but immediately sank as unnecessary. I say that several commercial institutions that had a high reputation monetized it all at once using the “Hop!” Method. withdrew funds from the troubled asset and shifted the debt on the shoulders of ordinary people.
Hardly Gilenko built the bank "Nadra" in order to "throw" a certain number of investors. But when it became clear that, to be honest, the bank was “not a tenant”, it was decided “save yourself as best you can,” and the owners of the rescue means had more than ordinary depositors. The reputation that has been created over the years has been wholesale converted into profit. And it can be in any business.
')
But I'm not even talking about business ethics per se. I want to talk about simpler things - information security (IS). We, performing our work, create various information security systems. What we are guided by their creation? What do we write in the TOR “Basis for Development” section?
We write: “Regulatory Documents”, “Industry Standards”, “Modern Technologies”, “Specialized Equipment and Software Market”, “Best Practices”, “Experience of Implementing Such Systems”, something else. But we think: “Maximum profit”.
Many times I have come across the fact that many IS tasks can be solved by administrative and operational measures, but to solve them, expensive equipment was purchased and active administrative and operational measures were not produced. Someone will ask me why? Or is it clear to everyone?
Both sides - the Customer and the Contractor in the person responsible at each level sit around a clearing called "Information Security" (the same is true for IT as a whole) with one thought - "so that we have more of everything and we have nothing for it ".
Now I do not want to talk about the competition between integrators or specialized companies (market players - residents) and the role of kickbacks in it. Although now even in contests between vendors, kickbacks often become key factors. Kickbacks have become the largest (I hope that they are not yet market-forming, although no one is keeping statistics) as a driver of the IT and information security business. IT and IB have become fish-sticky on the body of production, trade, services.
Once I asked a successful sales manager - “did he recently have sales without kickbacks?” - in response, I heard a long pause, and then some ornate explanation of why kickbacks are not as bad as it seems to me at first glance .
Even if you make a face a brick and a sponge is a bow (i.e., ignoring the question of the ethics of kickbacks - many work at lower rates, because the employer believes that IT / IBShniki themselves will steal the rest), it still remains a question of the optimal planning and use of IT / IB budgets.
I want to talk about how rollbacks make our IT and IB solutions not optimal. The choice of solutions is often determined by the inflation of budgets and kickbacks, rather than technical characteristics. In one large private (!) Enterprise I observed a picture of how two different network security systems have been built over the years by two different departments (with this money one could build one, but twice as functionally). Almost every department had its own server, the ITC had more than one SAN system.
Moreover, few people think about the fact that, once having sat down on a needle of kickbacks, a specialist involved in the decision to purchase cannot remain objective in choosing IT / IB solutions. After all, if he wants to “jump off” from a non-optimal vendor in favor of another (they also give kickbacks) of a more optimal one, then he can “get out of the way” - he faces disclosure of information about kickbacks, loss of a specialist’s reputation. Now IT / IBShniki cope with this by regular rotation (change of place of work), but the essence remains the same.
So, an interesting thing comes out - the IS service at the enterprise (part of the Security Council) should protect the business from economic damage, but who will protect the business from the IS service? What are your thoughts on this? Soared or not soared about it? Or am I so angry because I did not have a bike before?
PS Yes, there are people to whom the above does not apply, I am aware, but I am not about them.
Business ethics (I'm not talking about morality, morality is a little different) - what is it? Why do you need it? How to use it? How do you monetize the ethics of your business? After nearly two years ago, several fairly large banks fell down, the problem of business ethics began to spill a little, but immediately sank as unnecessary. I say that several commercial institutions that had a high reputation monetized it all at once using the “Hop!” Method. withdrew funds from the troubled asset and shifted the debt on the shoulders of ordinary people.
Hardly Gilenko built the bank "Nadra" in order to "throw" a certain number of investors. But when it became clear that, to be honest, the bank was “not a tenant”, it was decided “save yourself as best you can,” and the owners of the rescue means had more than ordinary depositors. The reputation that has been created over the years has been wholesale converted into profit. And it can be in any business.
')
But I'm not even talking about business ethics per se. I want to talk about simpler things - information security (IS). We, performing our work, create various information security systems. What we are guided by their creation? What do we write in the TOR “Basis for Development” section?
We write: “Regulatory Documents”, “Industry Standards”, “Modern Technologies”, “Specialized Equipment and Software Market”, “Best Practices”, “Experience of Implementing Such Systems”, something else. But we think: “Maximum profit”.
Many times I have come across the fact that many IS tasks can be solved by administrative and operational measures, but to solve them, expensive equipment was purchased and active administrative and operational measures were not produced. Someone will ask me why? Or is it clear to everyone?
Both sides - the Customer and the Contractor in the person responsible at each level sit around a clearing called "Information Security" (the same is true for IT as a whole) with one thought - "so that we have more of everything and we have nothing for it ".
Now I do not want to talk about the competition between integrators or specialized companies (market players - residents) and the role of kickbacks in it. Although now even in contests between vendors, kickbacks often become key factors. Kickbacks have become the largest (I hope that they are not yet market-forming, although no one is keeping statistics) as a driver of the IT and information security business. IT and IB have become fish-sticky on the body of production, trade, services.
Once I asked a successful sales manager - “did he recently have sales without kickbacks?” - in response, I heard a long pause, and then some ornate explanation of why kickbacks are not as bad as it seems to me at first glance .
Even if you make a face a brick and a sponge is a bow (i.e., ignoring the question of the ethics of kickbacks - many work at lower rates, because the employer believes that IT / IBShniki themselves will steal the rest), it still remains a question of the optimal planning and use of IT / IB budgets.
I want to talk about how rollbacks make our IT and IB solutions not optimal. The choice of solutions is often determined by the inflation of budgets and kickbacks, rather than technical characteristics. In one large private (!) Enterprise I observed a picture of how two different network security systems have been built over the years by two different departments (with this money one could build one, but twice as functionally). Almost every department had its own server, the ITC had more than one SAN system.
Moreover, few people think about the fact that, once having sat down on a needle of kickbacks, a specialist involved in the decision to purchase cannot remain objective in choosing IT / IB solutions. After all, if he wants to “jump off” from a non-optimal vendor in favor of another (they also give kickbacks) of a more optimal one, then he can “get out of the way” - he faces disclosure of information about kickbacks, loss of a specialist’s reputation. Now IT / IBShniki cope with this by regular rotation (change of place of work), but the essence remains the same.
So, an interesting thing comes out - the IS service at the enterprise (part of the Security Council) should protect the business from economic damage, but who will protect the business from the IS service? What are your thoughts on this? Soared or not soared about it? Or am I so angry because I did not have a bike before?
PS Yes, there are people to whom the above does not apply, I am aware, but I am not about them.
Source: https://habr.com/ru/post/95916/
All Articles