Similar Searches

  • Fresh Reasons to Review The Company E-mail Policy (April 15, 2010)

    The recent decision for employee e-mail privacy and lawyer-client privilege by the New Jersey Supreme Court produced celebratory fist-bumps by groups ranging from the Employers Association of New Jersey (EANJ) to the National Employment Lawyers Association of New

  • A Discussion You Might Want to Follow (August 20, 2009)

    What can PCI DSS do, and what can it not? What role may it have played or should it have played in the recent breaches?There is a discussion going on at StorefrontBacktalk that you may want to read...and be

  • Proactive Security (November 9, 2009)

    One thing I see again and again in this job is that people usually don’t think about security until after they are hit with an incident. Companies create disaster recovery plans after the disaster. They come up with incident response

  • Watching World Cup 2010 Online Can Lead to Scams (June 28, 2010)

    Just in case you are looking for websites to watch the 2010 FIFA World Cup matches online, you will also find many questionable websites offering live football streams! Many of these sites will ask you to install software to get

  • Security Concerns Less Considered (May 27, 2010)

    Concern about security threats and such as malware and data loss is common and certainly warranted. But understanding of where threats come from varies. Most know Phishing, Spam, Adware, and PUPs are likely culprits and understand that any given site

Related News

  • Fresh Reasons to Review The Company E-mail Policy (April 15, 2010)

    The recent decision for employee e-mail privacy and lawyer-client privilege by the New Jersey Supreme Court produced celebratory fist-bumps by groups ranging from the Employers Association of New Jersey (EANJ) to the National Employment Lawyers Association of New

  • A Discussion You Might Want to Follow (August 20, 2009)

    What can PCI DSS do, and what can it not? What role may it have played or should it have played in the recent breaches?There is a discussion going on at StorefrontBacktalk that you may want to read...and be

  • Proactive Security (November 9, 2009)

    One thing I see again and again in this job is that people usually don’t think about security until after they are hit with an incident. Companies create disaster recovery plans after the disaster. They come up with incident response

  • Watching World Cup 2010 Online Can Lead to Scams (June 28, 2010)

    Just in case you are looking for websites to watch the 2010 FIFA World Cup matches online, you will also find many questionable websites offering live football streams! Many of these sites will ask you to install software to get

  • Security Concerns Less Considered (May 27, 2010)

    Concern about security threats and such as malware and data loss is common and certainly warranted. But understanding of where threats come from varies. Most know Phishing, Spam, Adware, and PUPs are likely culprits and understand that any given site

Latest News

Security vulnerabilities in Pligg CMS version 1.0.4

The correct CV(or malware)

Zombie game inspires scammers to target your brains

We are good at finding names

To infinity and beyond

Being the “Bad Guy”

Are we in the "no" business?I have to ask that question because of what I sometimes encounter in PCI assessments and even PCI training. I recommend limiting Internet access or restricting access to cardholder data or changing a business process, and I am seen as interfering with some users' perceived ability to do their job. I am, in their mind, in the "no" business.I saw an article in Slate subtitled "Why corporate IT should let us browse any way we want." The author's point is that restrictions such as access to social networking sites or "e-mail and chat programs, dating sites, shopping sites, and news sites like Digg or Reddit (or even Slate)" foster resentment, reduce morale, and are corrosive to creativity. Wow. And I thought I was just protecting the client. Is this guy clueless or am I missing something?I read the Slate piece because of an interesting and very thoughtful post at Security Catalyst responding to it. The thinking is that while you may not agree with the Slate author, you have to admit that he represents what a lot of users -- your users -- are thinking. Instead of just responding with another rant, maybe we need to listen to the objections...really listen. Maybe we ought to take a look at the restrictions to make sure they really make sense. Continue reading...


Source: PCI DSS News and Information

  • Fresh Reasons to Review The Company E-mail Policy (April 15, 2010)

    The recent decision for employee e-mail privacy and lawyer-client privilege by the New Jersey Supreme Court produced celebratory fist-bumps by groups ranging from the Employers Association of New Jersey (EANJ) to the National Employment Lawyers Association of New

  • A Discussion You Might Want to Follow (August 20, 2009)

    What can PCI DSS do, and what can it not? What role may it have played or should it have played in the recent breaches?There is a discussion going on at StorefrontBacktalk that you may want to read...and be

  • Proactive Security (November 9, 2009)

    One thing I see again and again in this job is that people usually don’t think about security until after they are hit with an incident. Companies create disaster recovery plans after the disaster. They come up with incident response

  • Watching World Cup 2010 Online Can Lead to Scams (June 28, 2010)

    Just in case you are looking for websites to watch the 2010 FIFA World Cup matches online, you will also find many questionable websites offering live football streams! Many of these sites will ask you to install software to get

  • Security Concerns Less Considered (May 27, 2010)

    Concern about security threats and such as malware and data loss is common and certainly warranted. But understanding of where threats come from varies. Most know Phishing, Spam, Adware, and PUPs are likely culprits and understand that any given site

One Comment on “Being the “Bad Guy””

  • denniskuntz wrote on 14 December, 2009, 9:51

    Thanks for the kind words, and you reiterated my point very well. In addition to what you have to say in the post, I would offer this: As well as educating users about restrictions, and looking for converts, etc., we need to make sure that _we’re_ open to education and “conversion” as well.

    That way when we do indeed need to employ something that might seem to be draconian, we have that much more credibility. When you have that credibility, even if education and/or conversion didn’t take hold, you might get a response similar to: “Well, [insert security professional here] is normally pretty considerate, so if [he/she] needs to implement this, it must really be necessary.” That’s definitely not a bad thing.

Write a Comment

Copyright © 2010 The Security Blog. All rights reserved.