back to article Sysadmins: Your great power brings the chance to RUIN security

Risk management bod Kris French Junior has offered 10 tips to help security teams bin their boring, technical, and uniformed education schemes The Hyland Software education aficionado takes aim at what he sees as pervasive checkbox compliance-driven and complicated training programs that lack the excitement and pizazz of crowd …

  1. Christian Berger Silver badge

    Honestly we are still at a point where education isn't quite effective

    For example many companies _still_ have Acrobat Reader installed instead of just about any other PDF reader out there. Why? Nobody knows. Companies still have e-mail clients displaying HTML-Mail. Why? Nobody knows.

    You need to give your users a chance to act in a secure manner before you try to educate them to do things they cannot do. How do they know if an e-mail is from a trustworthy source if you don't even have GnuPG installed? Shouldn't they be able to open any e-mail without being worried of it using security bugs in their e-mail software?

  2. Trevor_Pott Gold badge

    Again with the "IT must not only be technical experts, they must be sales and marketing experts without any additional training, pay, etc."

    Fuck IT. There's way easier work that pays the same (or better) out there. Turn a wrench and make some oil come out of the ground. You're only expected to do one job. Unless you want to upcertify to get your WHIMIS or EMT or something...but then you get extra pay. The expectation that IT will be all things to all people is utter bullshit.

    1. LDS Silver badge

      Right, but in any environment you have to speak in a language understandable by your audience. Be it gaining management support for security efforts, or gaining investment for a new product idea, in some ways someone has to "sell" it to the people in charge to authorize and pay for it.

      It is true that if they are in that very place, they should have already the knowledge and the skills to understand you - maybe in a "perferct world".

      Too often you have to talk to someone who was put there without the proper background. It happens more often in countries/companies where tech skills are valued far less than legal/economic/sales/marketing ones. You may like it or not, but they will never learn about your world, thereby you need to learn how to "lower" yourself at a level they can understand.

      Usually, it's not that hard. Sure, for example you can't just tell them the chosen flat AD and PKI infrastructure is the wrong choice for a so big company - they can't understand why. But show them pretty animations about an attack easily compromising it and crippling business activities (cite Sony here, with some news headlines and executive names under fire...), while another design better withstand it and lets most of the business go on, and they may have a glimpse of light... after all, what you need is some good "social engineering" at work for you.

      Training anyway always needed to be tailored for the audience. Being a good teacher requires practice - and patience.

      1. Trevor_Pott Gold badge

        "Right, but in any environment you have to speak in a language understandable by your audience"

        "IT people think they are being asked to be everything when all they are being asked to do is to learn to communicate with others"

        The whole reason I went into IT in the first place was so that my audience would be computers, and those who preferred communicating with computers instead of people! FFS, why the metric monkey fnord is that so bloody hard for people to understand? We are not all social creatures. We do not all want to be social creatures. We will never all be good at being social creatures

        This relentless drive to punish those who are not gregarious extroverts is beyond annoying and borders on predjudice. Quit trying to eliminate every place where asocial people can hide. If you want to kill us off be man (and woman) enough to pick up a fucking gun and do some genetic cleansing. At least then you're honest about things, rather than trying to make millions of people choose between a life of employment misery or dying in the street.

        We spend a third of our lives at work. That time should be as interesting and engaging as possible. It shouldn't be a prison where you are tortured every day. For many of us, having to act like sales and marketing people, being socially gregarious and extroverted is a form of torture.

        Society should support people of all types. Not just those who conform to the social norm of business-class extroversion.

        Comptuers aren't people. That's the attraction. We don't want to teach. We want to program. We don't want to coddle emotions, we want to install applications. We don't want to deal with office politics, we want to implement policies from a centralized management application.

        Why should we, the technologists, have to make up for the deficits of everyone else int he entire bloody company, hmm? The company should be providing a body who translates between nerd and whatever it is that populates the rest of the company. Typically that's a manager of some variety.

        It's always "give, give, give". IT must change. IT must compromise. IT must adapt. IT must give up everything that makes their jobs worth doing.

        Why? For what? The rest of the company is never satisfied. The more IT gives up, the more they demand IT give up. The fact that IT bends at all is merely showing weakness...a weakness that is ruthlessly exploited so that the others can do less, learn less, care less and yet get paid more.

        Fuck 'em. All of 'em.

        1. Anonymous Coward
          Anonymous Coward

          "The whole reason I went into IT in the first place was so that my audience would be computers, and those who preferred communicating with computers instead of people! FFS, why the metric monkey fnord is that so bloody hard for people to understand? We are not all social creatures. We do not all want to be social creatures. We will never all be good at being social creatures"

          If you are going to work in society then you have to work with people. Is it that hard to understand? If you are an employee at a company, unless you are one of the lucky few who don't have to deal with people, you have to deal with people on some level. Get used to it. If you want to be asocial then you can do it on your own time. Yes, it sounds harsh but it is a fact of life.

          1. Trevor_Pott Gold badge

            If you are going to work in society then you have to work with people.

            I don't want to work "in society". I want to work with computers so that I don't have to work in society. Fuck society.

            Is it that hard to understand?

            Yes. For decades IT was where people who explicitly didn't want to work with people could go. Those who preferred machines to men; logic to emotion; code to politics. I don't understand why this should change, excepting that corporations are increasingly cheap fucking bastards seeking to save money by forcing IT to have more and more and more and more skills instead of investing in the necessary layers of translation required to allow specialists to remain specialists without trying to force them to also be salespeople, marketers and politicians.

            If you are an employee at a company, unless you are one of the lucky few who don't have to deal with people, you have to deal with people on some level.

            Do you even read what you write?

            Look, for decades IT were "the lucky people" who didn't have to deal with people. Why should we, as IT staff gracefully accept an end to this, instead of fighting the demanded changes with every ounce of our being?

            Get used to it.

            No.

            If you want to be asocial then you can do it on your own time.

            Wrong. If you want me to be social then you can pay me significantly more to put up with that shit as well as fix your technowidgets. They are two jobs. You want me to work two jobs then you pay me two salaries.

            Yes, it sounds harsh but it is a fact of life.

            No: you want it to be a fact of life. I say "fuck you", stick my middle finger up in the air and take my skills elsewhere. To hell with you and everyone who believes in your vision of a homogenous society. I support diversity. There should be many niches for many types of people, and any asshole who thinks otherwise can get bent.

        2. Anonymous Coward
          Anonymous Coward

          "Quit trying to eliminate every place where asocial people can hide. If you want to kill us off be man (and woman) enough to pick up a fucking gun and do some genetic cleansing"

          A bit dramatic don't you think? No one is trying to get you to come out of your private areas (your home). Every job requires some social interaction so in reality you are being asked to do your job. Period. If you don't like it, fine, go get another job that you like, or go move to some place in the woods that no human has ever set foot.

          "Why should we, the technologists, have to make up for the deficits of everyone else int he entire bloody company, hmm?"

          What are you talking about now? This article is about educating users. If you don't want to educate them then you don't have to, but don't expect end users to know how to do things the way you want them done. If there is an educator then you need to teach him/her the way things need to be done and why. Either way, you need to interact with people to get your way.

          "The fact that IT bends at all is merely showing weakness"

          No, No, No, No 1000 times! Compromise is not weakness. It is the only way to work with others for the best solution for everyone. Yes, sometimes you might get everything you want but most of the time you will have to compromise in life. An oak and a reed in a storm and all that.

          1. Trevor_Pott Gold badge

            Every job requires some social interaction so in reality you are being asked to do your job

            Bullshit. Lots of jobs require no, or extremely marginal amounts of social interaction. For decades IT was one of those. There is no reason for this to change.

            If you don't like it, fine, go get another job that you like

            And thank you very much, I will. But not because you give me permission. Because fuck you and your arrogant douchbaggery.

            or go move to some place in the woods that no human has ever set foot.

            Sounds great!

            This article is about educating users. If you don't want to educate them then you don't have to, but don't expect end users to know how to do things the way you want them done

            The job of the user is to read the information provided about how to use the tools they are provided and comply with that information. If users are "special" and unable to read then the company should provide them a wetnurse who can read the documentation and explain it to them in small enough words. That isn't IT's job, and in no rational world should it be.

            Compromise is not weakness.

            Yes it is.

            It is the only way to work with others for the best solution for everyone.

            Except that what is being described isn't the best solution for everyone. It's the best solution for everyone but IT. Compromise involves both sides giving ground in order that both sides achieve gains. IT being the only one who gives ground isn't really compromise. It's defeat.

            Yes, sometimes you might get everything you want but most of the time you will have to compromise in life.

            Compromise in which both sides give up equal amounts in order to achieve a mutually beneficial end is find. "Compromise" in which you capitulate in order to save those in power a bent pittance (so they can get bonuses) and so that everyone else can get away with doing less while you do ever more isn't "compromise". It's defeat.

            An oak and a reed in a storm and all that.

            You don't have to worry about oaks, reeds or storms if you live in a sealed underground bunker that is at all times prepared for war. And make no mistake, this is war.

            1. Anonymous Coward
              Anonymous Coward

              "For decades IT was one of those. There is no reason for this to change."

              Are you serious? You are an IT journalist and you think things should not change in IT? WTF! What world are you living in? IT evolves faster than most fields, not only in tech but in what IT does. Decades ago there was not such a big pool of people to fill IT jobs. You could be that asocial guy. Now there is a huge glut of people who can fill those jobs and so they also need to have other skills to gain an edge over the competition to get those jobs. One of those skills is communication, welcome to IT in 2015!

              " That isn't IT's job, and in no rational world should it be."

              It is IT's job to communicate about their specialties. Just like it is everyone else's job to communicate about their specialties!

              "IT being the only one who gives ground isn't really compromise. It's defeat."

              C.O.M.M.U.N.I.C.A.T.I.O.N <-- Learn this.

              1. Trevor_Pott Gold badge

                You are an IT journalist and you think things should not change in IT?

                Lots of things should change in IT. Clearly, you and I disagree with which ones.

                What world are you living in?

                A world in which discrimination against introverts is considered to be every bit as discriminator as discriminating against women, or individuals of colour, or...

                IT evolves faster than most fields, not only in tech but in what IT does

                I agree. But you are attempting to say that in addition to IT staff having to keep up with their own specialty evolving at breakneck pace that - to be perfectly blunt - most people wouldn't be able to cope with, they need to take on ever more other people's jobs so that those people can do less and less work.

                That's bullshit of the highest order.

                Decades ago there was not such a big pool of people to fill IT jobs. You could be that asocial guy. Now there is a huge glut of people who can fill those jobs and so they also need to have other skills to gain an edge over the competition to get those jobs. One of those skills is communication, welcome to IT in 2015!

                Actually, there's a dearth of experts and specialists today and a whole lot of barely competent "feelers". You seem to think the latter are a good thing. You are wrong.

                IT is about technology. It should retain the top talent for that technology. If you want somewhat technically literate people who specialize in social niceties make them managers, train them as such and have them run interference between the actual people applying the technology and the lazy shits in the rest of the company demanding that IT do everything while they pound their puds all day long.

                It is IT's job to communicate about their specialties. Just like it is everyone else's job to communicate about their specialties!

                No. nobody else has to communicate about their specialties. Everyone else either has individuals in their departments (typically managers) whose job it is to be that point of contact or they have laws that put the onus on everyone else to learn and obey.

                IT is the only department in the modern business place that is being asked to become a "company within a company". Everyone else can balloon in personnel size, have sub specialties, layers of management or simply force other departments to learn by fiat.

                IT shouldn't put up with being the whipping boy. Predators prey on the weak, and you are advocating nothing but weakness amidst a sea of predators.

                C.O.M.M.U.N.I.C.A.T.I.O.N <-- Learn this.

                You still haven't convinced me why I should. Are you bad at communication or something?

        3. LDS Silver badge

          I prefer to work with machines too because their behaviour is predictable, usually, and far more interesting. But I also know I work in a big company with many people and everybody has his or her goals, sometimes not very well aligned with company and other people ones.

          If I want to be able to be paid to work with interesting machines and tools, I know I have to be able to convince others that 1) what I do, or plan to do is important because the company has a valuable return 2) I'm very good at doing it thereby a replacement is not easy to find 3) others' are not as good

          I just talked to the CTO last week who has to decide which new/research projects fund next year. I had to convince him our proposals are the best ones, even if he's not an expert in our field, being the company so big - we were acquired a year and a half ago.

          I don't like to do these tasks, but I know that if I just sit down and wait for him to read a dense tech paper somewhere in his mailbox, someone else will get the funds, and I and my team should look for a new job elsewhere, or be assigned to someone's else stupid project.

          Sure, in a perfect world the CTO will perfectly know who I am, what I do, and will give me the funds for the project because he read the specs he asked me, and found them so good. When I find one I'll uninstall Office from my PC, cut any tie with the world but an Ethernet cable, and stop 'wasting' time to explain clueless people why they should believe in what I say. Until now, I know sometimes I have to wear a suit, fire up PowerPoint, smile, and explain for the nth time simple concepts they should already know, and 'sell' them things to do they should ask me instead...

          Until it pays well also for the 'gadgets' at home and other stuff I do beyond work and beyond IT, guess I will keep on...

          1. Trevor_Pott Gold badge

            @LDS you go to work to work with cool tech and are willing to pay the price of doing multiple people's job to do so.

            I want to work with technology specifically because it's a means to make a living without having to deal with people, and I really don't care if the tech is "cool" or not.

            I expect in either situation the company will buy the tech that is required to meet their legal and business objectives. Maybe if you politic you can get tech that is beyond those requirements. I'm content to work with tech that is exactly what is required. But yes, I absolutely expect the people in charge to either know enough to select the tech they need, or to read the documents I send them explaining what they need.

            Unlike some, I don't gussy up the requests in order to get "cool" tech. I only list what is required. If they can't understand or believe that then they need to hire someone they believe will, in fact, tell them the truth. I should emphatically not have to "sell them" on the idea.

            Perhaps you see the difference now between the two approaches and goals?

        4. Anonymous Coward
          Anonymous Coward

          > Why should we, the technologists, have to make up for the deficits of everyone else int he entire bloody company, hmm?

          While I sense that Trevor got out of the wrong side of the bed the morning before writing these comments, I do agree with him.

          I too am an introvert - very much so. In the same way that forcing someone who's artistic and not numerate to slave over a spreadsheet full of numbers is stressful to that person, forcing introverts like us to be extrovert is stressful to us. I'm in IT for many of the same reasons as Trevor - as a (recently) diagnosed autistic, dealing with people is stressful, dealing with (what should be) logical machines far less so.

          The theme going through the article and many of the comments is that if (for example) sales "don't get" security then it's IT's fault for not teaching it properly. No, it's as much sales's fault for not taking the time to learn the tools they are using.

          As an analogy, we expect a fine artist to understand about the canvas, paints, palette knives, brushes, etc they are using. Their job is to use those materials to produce something.

          In the same way, if you are in sales, you have some tools available to you - and some of those will be computer systems. You should expect others to expect you to learn how to use them properly - not whinge at IT if you fumess it up - in the same way that the artist shouldn't be complaining that it's the paint brush supplier's fault if they don't know which end of the brush to use.

          I'm not suggesting that users should be sat at a workstation and told "figure it out". No, they should be trained properly how to use the systems (IT or otherwise - there are a lot of systems that aren't IT). That training is a TRAINING function, it is NOT an IT function.

          Getting a bit closer to home, part of my ${dayjob} is provision of web servers. As long as the server is running and correctly serving up HTML to browsers then I've done my job on that. If the end user doesn't know how to write HTML then that is not my problem (I only know the very basics).

          So to summarise :

          Training end users in security is not an IT function - it is a training function. Training end users how to use the various systems/processes they need for their job is not an IT function - it's a training function.

          If anyone is expecting IT to do training function and complains that they aren't very good at it - then that is a management failure.

          It is the job of "management" (meaning all those from CEO/Managing Director down to department/team level) to best use the skills and resources available. If that chain of management has sloped it's shoulders and thrown an inappropriate task at any group (not just IT) then they have failed. If they complain about the failure of someone to do a task for which they don't have the skills or aptitude, and which they are not psychologically suited for, then they have doubly failed.

          If you watched someone instruct me to paint a "grand master" quality oil painting, and then rolled around in laughter at my failure to do so, then you'd hopefully get the point that it's a management failure by giving me a task I'm not skilled for. Given incentives and suitable training, I could probably get to the point where the output is at least recognisable - but I can't and it would be daft for someone to give me that task.

          Yet the same people who would agree with that statement, would then take the opposite view if an "IT" person fails in a similarly unsuitable task.

          There are a lot of management failures !

          1. Anonymous Coward
            Anonymous Coward

            "The theme going through the article and many of the comments is that if (for example) sales "don't get" security then it's IT's fault for not teaching it properly. No, it's as much sales's fault for not taking the time to learn the tools they are using."

            It is sales job to know how to make a sale, not to know how to fix a computer. Is it your job to fix the electricity or plumbing when it breaks? No, you call the electricians and plumbers.

            "I'm not suggesting that users should be sat at a workstation and told "figure it out". No, they should be trained properly how to use the systems (IT or otherwise - there are a lot of systems that aren't IT). That training is a TRAINING function, it is NOT an IT function."

            Who is going to train the trainers, or are the trainers are just as skilled as you and require no training? What happens in places where they cannot afford professional trainers?

    2. Anonymous Coward
      Anonymous Coward

      "The expectation that IT will be all things to all people is utter bullshit."

      This is one of the big issues in IT! IT people think they are being asked to be everything when all they are being asked to do is to learn to communicate with others. No one cares about algorithms, encryption, security, servers, routers, Python, Docker, etc. All they care about is doing their job as easily as possible and getting a paycheck.

      I took this article as saying if you want to get your message across then you have to learn to speak the language of the targeted audience, not nerd. If you talk to management or have ever worked with the end user then this is a must. You need to speak their language to get your message across, the same applies to anyone trying to make a "sale" (getting what you want - get funding, teaching users good practices, etc).

      End users are smart in their own way and if they understand why they need to do something a certain way (security, better work flow, they will get fired if they don't, etc) then most will do it without any fuss. Yes I understand some users will put up a fight but they are a minority. If you want funding from management then you need to either have an IT meltdown/breach causing financial loss or give a presentation about how this new hardware/software will save the company money, ROI, etc using shiny charts and graphs. Speak their language...

  3. Captain Underpants

    +1, Trevor

    This is just the same old "IT-Business Alignment" bollockery, with the exact same assumption that management, HR, and basically everyone except IT are by default "aligned with the business". Which is just daft.

    Yes, it is almost certainly the case that IT and infosec teams have different views on why security matters than do management. But if management don't understand that eg failing to invest in preventative infosec measures will cost them money, that's a management failure, not an IT failure. I'm always happy to learn new skills and find ways to understand the requirements and perspective of my userbase, but I'm sick to the back teeth of being told by "analysts" that it's entirely right that IT should have to put all the effort into these issues.

    Also, that list is a bit daft (at least 5 items on it are outright nonsense, and that's just off the top of my head). Infosec isn't about "cool", it's about good working practice and getting people to understand how they can make sure that they work in a way that minimises both the organisation and their own personal exposure to a variety of risks. Anyone who thinks that getting people to engage with training requires it to be "cool" has clearly given up on any notion of working with even remotely intelligent, professional humans, at which point why bother at all?

    I'm betting that in any organisation where that list doesn't just provoke laughter, the real root problem with infosec (and any other IT-related issue) is a culture where IT are viewed as a money-draining black hole of bureaucrats who "just don't get the business" or such.

    1. Anonymous Coward
      Anonymous Coward

      RE: Infosec isn't about "cool"

      You right its not... But then articles is not particle about infosec - its about education.

      Would you train a dog by reading procedures to it and threatening it with a stick? No you would not. You'd make it fun and engaging, showing the dog their is a benefit in it (i.e. a treat).

      Yes I'm comparing users to dogs... they're just as stupid, just as difficult to train. But if you dangle a treat in front of them, then you'll get a better result!

      Personally, I hate the whole fucking idea of "IT" taking responsibility to educate users, thats not what I signed on for - but it looks like we've been lumped with it, so we may as well do it properly.

      1. Captain Underpants

        Re: RE: Infosec isn't about "cool"

        I take your point, but I still think it's a management failure as root cause.

        Good training on the trainer's side is down to whatever's shown to work well. If your infosec team can't deliver good training, perhaps that's because the skills required to deliver training are significantly different to those required for their core roles. But that's only half of the issue, because if the trainees don't have any interest or willingness to engage, you're never going to get anywhere.

        Teaching people about something that's fun and interesting is easy; it's very rare that Standards Compliance, Good Practice and Information Security can be described as "fun" and "interesting" unless you're of a particular mindset that, more often than not, will have you on the delivery end of the training rather than the recipient end.

        I've worked in organisations that have dedicated Business Liaison teams - they're effectively at the same sort of level as service managers, but their role is to be the translation layer between the technical teams and the managers representing each user group. It's unideal, but it's better than expecting to be able to hire one person who can deliver excellent training to a diverse range of personality types and write great documentation and carry out risk analysis from a business perspective in a form that's easily understood by business management and also be worth a damn at the actual infosec role that they're nominally being hired to perform.

        A lot of training is boring. Every job I've started, I've been sent on numerous mind-numbing HR-mandated courses, many of which have appeared pointless to me. The thing is, while I'll try and provide feedback on how to make them better, I don't go "well, fuck 'em, the course was boring so I'm just going to pick brown daisies and ignore what they say to do, and if that turns out to expose the company to legal liability I'll just blame the training". I grit my teeth if need be and just get through it because that's part of professional conduct. I don't like the culture that many organisations have where this idea applies everywhere except IT. Not least because most practices relating to IT and infosec aren't actually complex on a technical basis, so they can be made to apply just as easily in non-computerised areas (I've had some success explaining certain concepts to my users by taking precisely this approach - analogies to the likes of trashing can be quite helpful at times).

        1. J P

          Re: RE: Infosec isn't about "cool"

          Captain Underpants has it about right. I work in a totally different field to IT*, and face a similar problem trying to get people interested in the stuff that I do; simply jumping up and down an shouting "this is important - you have to listen to me, however bad I am at communicating it!" doesn't seem to work very well, and you just get sidelined by more interesting alternatives, which is a bad result for everyone.

          Of course not every IT bod has to be a polished communicator; the underlying technical skills are way more important. But someone, somewhere, has to work out how to do for infosec what Brian Cox has done for astrophysics and actually get ordinary people engaged with it, using language and imagery that they can understand.

          *I do tax policy. Sometimes I liken tax systems to an oil refinery - everyone can have an opinion on where it should be built, and what you'd like it to do (pollute less, focus on certain outputs), but when it comes to the actual design you should defer to the guys with the qualifications who actually know which valve should go where, and why you need to use high grade steel and not just leftover bits from your kid's Lego Technics to build it with. I'm working really, really hard to try to get some of the important messages about how tax systems work, and fail, across in accessible language in a desperate attempt to raise the tone of the debate, and it sounds like Captain Underpants is trying to bring a similar level of professionalism to infosec. (Yes, I find it deliciously ironic that we're getting lectures on professional conduct from Captain Underpants - but that doesn't affect the validity of the message.)

      2. Trevor_Pott Gold badge

        Re: RE: Infosec isn't about "cool"

        Would you train a dog by reading procedures to it and threatening it with a stick?

        Dogs are willing and able to learn. Most employees aren't.

        You'd make it fun and engaging, showing the dog their is a benefit in it (i.e. a treat)

        So you want to give treats to everyone in a business in order to do their job by making IT do things they hate?

        Fuck you. In the face. With a metric tonne of battery acid.

        Personally, I hate the whole fucking idea of "IT" taking responsibility to educate users, thats not what I signed on for - but it looks like we've been lumped with it, so we may as well do it properly.

        Why should I do a single thing that isn't what I signed on for unless there is a substantial reward for doing so? Preferably in a large number of additional dollars.

        1. K Silver badge

          Fuck you. In the face. With a metric tonne of battery acid.

          Trevor, I really think you should seek help!

          "So you want to give treats to everyone in a business in order to do their job by making IT do things they hate?"

          If it improves security and makes our job easier - fuck yes!

          Now stop being a whiny bitch, its not like its your personal money!

          1. Trevor_Pott Gold badge

            Re: Fuck you. In the face. With a metric tonne of battery acid.

            If it improves security and makes our job easier - fuck yes!

            Why should IT care about security unless they're being paid to? And why should they do anything that "makes their job easier" if it means more work for less pay? That's the opposite of an easier job! If the job is more crap then pay more. Simples.

            Now stop being a whiny bitch, its not like its your personal money!

            It's my personal time. And if I don't bitch about people treating IT staff like shit, they'll just keep dumping on IT staff and treating them like shit. IT staff are worth more than that.

            1. K Silver badge

              Re: Fuck you. In the face. With a metric tonne of battery acid.

              "Why should IT care about security unless they're being paid to?"

              Because if there is a data breach and you work for an SME, then kiss your job and income goodbye.

              "if it means more work for less pay?"

              Its different work, for the same pay. A company pays for your time and skills. As long as they deem to utilize them properly, then I see no problem.

              "It's my personal time."

              Yep, and mine.. what the f*ck are we like!

              1. Trevor_Pott Gold badge

                Re: Fuck you. In the face. With a metric tonne of battery acid.

                Because if there is a data breach and you work for an SME, then kiss your job and income goodbye.

                Then do it now and don't delay. There will be data breaches. They are inevitable and cannot be fully prevented. Prevention is only one part of security. There is also detection/monitoring mitigation and incident response.

                If you are in a position where you will lose your job because of a data breach then get the hell out right now. Period. Especially since you cannot properly educate or control an unwilling company or it's employees, not matter how many other people's jobs you do while trying.

                Its different work, for the same pay. A company pays for your time and skills. As long as they deem to utilize them properly, then I see no problem.

                It's more work for the same pay. The company doesn't pay per hour. They never do. They pay a flat salary and expect you to deliver on X deliverables. Because of this it's seen as okay to just ask IT to do the work of multiple people.

                No problem, right? Wrong. We didn't sign up to be learning technology, sales, marketing, and politics and implementing that all in the job. Where and when are you going to learn this? Are you paid for that training time? For the courses? Are you going to be paid for all the overtime? Are the expectations on deliverables and timeframes for the technology projects going to become more reasonable as a consequence of having to take on these other jobs?

                Of course not. You are just expected to stand and deliver. Well fuck that. Fuck that hard.

                If you want to give up your personal time making someone else rich, then you're nuts.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Fuck you. In the face. With a metric tonne of battery acid.

                  "If you want to give up your personal time making someone else rich, then you're nuts."

                  All of us make someone else rich - government, CEO, shareholders, partners, etc.

                  "We didn't sign up to be learning technology, sales, marketing, and politics and implementing that all in the job."

                  You signed up to do your job and, let me guess, "other duties as assigned" or some other vague, open ended clause. If not, quit, and find a new job. Either way, stop acting like a teenager who doesn't get their way.

                  "You are just expected to stand and deliver. Well fuck that. Fuck that hard."

                  Is writing for El Reg really that bad? Maybe you should quit

                  1. Trevor_Pott Gold badge

                    Re: Fuck you. In the face. With a metric tonne of battery acid.

                    All of us make someone else rich - government, CEO, shareholders, partners, etc.

                    But why would or should I give up even a second of unpaid time to do so? Hmm?

                    You signed up to do your job and, let me guess, "other duties as assigned" or some other vague, open ended clause. If not, quit, and find a new job. Either way, stop acting like a teenager who doesn't get their way.

                    I did quit, ya arse. That doesn't mean I, or anyone else should take it on the chin from others just because you personally enjoy making other people rich in your spare time.

  4. Anonymous Coward
    Anonymous Coward

    Isn't the problem that organisations now seem to expect their infosec (all IT?) professionals (the people that do the work and worry about the problems) to also be marketing people (great at talking to anybody to sell them the shiniest new thing even if that shiny new thing is donating to war orphans)?

    If you want this kind of joined up approach then your IT Teams should include marketing people, legal people, sales people, authors, clerks, etc... No one can be all things to all men.

    We can't all be great orators, for instance I can't read and talk at the same time and have a tendency to trip over my own words and rapidly change direction as I constantly re-evaluate information in my own head. Give me a white board and a set of coloured pens and just sit back and await the outcome whilst throwing thoughts at me and we're golden though. Or chat the breeze down the pub.

    So shouldn't these things actually say "XYZ needs marketing people and trainers who understand XYZ"

    1. Pascal Monett Silver badge
      Coat

      So, basically you're saying that Infosec briefings should be done down at the pub ?

      Where can I sign up ?

  5. Graham 32

    "Receptionists should for instance be given a copy of Kevin Mitnick's The Art of Deception for easy consumption of social engineering training, French says."

    Yeah, cos the receptionist is going to read a 304 page book on something they don't care about.

    1. Anonymous Coward
      Facepalm

      Just email the pdf to the ceo and I'm sure she'll read it.

  6. Evil Auditor Silver badge

    10 reasons why your security training programs aren't working

    Seems pretty generic to me and applicable to many presentations. Oh, and no. 11: you rely on PowerPoint.

  7. OzBob

    When I started in IT in the late 80s

    it was full of those that present on merit and talent, and was still such a new thing that management did not take it for granted.

    Nowadays, there is a noticeable drop-off in those in their 20s in corporate IT. The talented people have found something more interesting to do.

    It sounds like you have discovered the extra hidden "feature" of working in IT that most IT workers didn't realise was there and hate having to navigate - politics and power games. Once you get above a certain level in a hierarchy, that is all you do, protect your patch and do over other people / sections.

    I mentioned to Dominic Connor that he should write a book about office politics for techies. Haven't heard much on that count, might start a blog as I recognise certain things as they occur in my current office.

    1. Captain Underpants

      Re: When I started in IT in the late 80s

      @OzBob: as far as "office politics for techies" goes, the Bob-Howard-centric Laundry Files books by Charlie Stross are pretty good (and have entertaining diversions into Lovecraftian weirdness for when you lose the will to live after hearing yet another rant about matrix management....)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019