Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Gucci Loafers
May 20, 2006

Ask yourself, do you really want to talk to pair of really nice gaudy shoes?


How do I communicate to the business they need to stop forking over half-million dollar checks to InfoSec consultants?

Adbot
ADBOT LOVES YOU

Kashuno
Oct 9, 2012

Where the hell is my SWORD?
Grimey Drawer

Tab8715 posted:

So,

All the InfoSec guys on twitter are telling me to stop focusing on 0-Days and start focusing more on IT Hygiene. Not that 0-Days aren't important but that in the terms of most medium-large businesses that aren't the military, government or otherwise a likely target of hackers being organized is much more important than we once realized.

Thoughts?

Tab8715 posted:

How do I communicate to the business they need to stop forking over half-million dollar checks to InfoSec consultants?

These two statements one after the other few like there is some context missing.

Gucci Loafers
May 20, 2006

Ask yourself, do you really want to talk to pair of really nice gaudy shoes?


My customers would rather listen to some Infosec guy trying to sell them whatever fancy wizzbang product/service that gets you 1% closer to stopping a 0-day than hiring folks internally to maintain what we already have in place.

angry armadillo
Jul 26, 2010
I have an interview this week and one of the things on the job spec was knowledge of the software development life cycle

I’m good to go on the other 99% of the spec but I have minimal exposure to working on dev projects

Obviously I’ve done a bit of research and things look fairly logical but any top tips or good reading anyone can pass on would be appreciated?

I’m looking at a project manager role for context

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

So we're not allowed to hire additional programmers on staff, but we're allowed to spend 250k on programming consultants. I really need to start my own consulting company and have my job hire my programmers.

Proteus Jones
Feb 28, 2013



GreenNight posted:

So we're not allowed to hire additional programmers on staff, but we're allowed to spend 250k on programming consultants. I really need to start my own consulting company and have my job hire my programmers.

OpEx vs CapEx. I have been burned by that before.

Thanks Ants
May 21, 2004

#essereFerrari


Wouldn't those both be OpEx?

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

We'd hire the programmer at 80 grand and get 100% of his time. Now we spend 250k and maybe get 40% of his time. It's crazy.

Che Delilas
Nov 23, 2009
FREE TIBET WEED

Tab8715 posted:

My customers would rather listen to some Infosec guy trying to sell them whatever fancy wizzbang product/service that gets you 1% closer to stopping a 0-day than hiring folks internally to maintain what we already have in place.

Try a listicle. "Nine security procedures that could save your network!" "Five easy steps to help you avoid bankrupting GPNS fines!"

CLAM DOWN
Feb 13, 2007




lampey posted:

Yes it is likely that focusing on patching, best practices for network design, following least privilege principles, auditing current permissions, and monitoring for all of the above to ensure it doesn't change is a better use of your time. You are 1000x more likely to have a problem because a server has 3389 exposed to the internet and you have a weak administrator account password with the default name. Or a user downloaded malware that takes advantage of a vulnerability that should have been patched a year ago.

:agreed:

Proteus Jones
Feb 28, 2013



Thanks Ants posted:

Wouldn't those both be OpEx?

Nope. At least not for us. Contractors were lumped into CapEx. OpEx for employees was always calculated for current staffing, with overage baked in for predicted raises, promotions and bonuses. The only way to convince them to increase permanent head-count was to submit the request prior to the annual budget meetings, even though you may not know ahead of time if you need it or not.

Oh, and requesting an increase in OpEx and not using it makes it more likely that future requests will be denied. It's not like that anymore (by that I mean the requesting additional FT people), but god drat there was almost a revolt in my team a few years ago because of this.

Thanks Ants
May 21, 2004

#essereFerrari


Some companies are so incredibly badly run

The idea that it's better to spend more for a lower quality outcome because somebody doesn't want to have a talk about a balance sheet will never stop being amazing.

Proteus Jones
Feb 28, 2013



Thanks Ants posted:

Some companies are so incredibly badly run

The idea that it's better to spend more for a lower quality outcome because somebody doesn't want to have a talk about a balance sheet will never stop being amazing.

Amazing is not quite the word I would use.

Bonzo
Mar 11, 2004

Just like Mama used to make it!

lampey posted:

Yes it is likely that focusing on patching, best practices for network design, following least privilege principles, auditing current permissions, and monitoring for all of the above to ensure it doesn't change is a better use of your time. You are 1000x more likely to have a problem because a server has 3389 exposed to the internet and you have a weak administrator account password with the default name. Or a user downloaded malware that takes advantage of a vulnerability that should have been patched a year ago.

I tell people to pretend that the attackers are already in the network so don't do stupid poo poo and allow them further access.

Tab8715 posted:

How do I communicate to the business they need to stop forking over half-million dollar checks to InfoSec consultants?


I'm on a security review team that deals with requests from customers that send us their security audits about our software. We get these multiple page reports followed by stern emails from C levels about how these issues need to be addressed ASAP and we need the entire Dev team on a conference call 8am Monday and we'd better have a drat plan!

With few exceptions nearly every report gets sent back pointing out to them that they are running out of maintenance software (most cases they are 3 - 5 years out of date) and need to update, or they need to patch and harden their servers. The thing is that when you buy our poo poo, we give you guides for server/database hardening and even provide a chapter on it in our online and onsite training.

So we kinda get a kick out of people spending 6 or 7 figures to be told to just RTFM.

Gucci Loafers
May 20, 2006

Ask yourself, do you really want to talk to pair of really nice gaudy shoes?


Che Delilas posted:

Try a listicle. "Nine security procedures that could save your network!" "Five easy steps to help you avoid bankrupting GPNS fines!"

If I could put this on Airport Lounge advertisements, that might just work.

Gucci Loafers
May 20, 2006

Ask yourself, do you really want to talk to pair of really nice gaudy shoes?


Bonzo posted:

I'm on a security review team that deals with requests from customers that send us their security audits about our software. We get these multiple page reports followed by stern emails from C levels about how these issues need to be addressed ASAP and we need the entire Dev team on a conference call 8am Monday and we'd better have a drat plan!

With few exceptions nearly every report gets sent back pointing out to them that they are running out of maintenance software (most cases they are 3 - 5 years out of date) and need to update, or they need to patch and harden their servers. The thing is that when you buy our poo poo, we give you guides for server/database hardening and even provide a chapter on it in our online and onsite training.

So we kinda get a kick out of people spending 6 or 7 figures to be told to just RTFM.

In some ways, I do see how it's easier to simply throw money at a vendor to install some fancy new security appliance than it is to try and figure out IT Debt. Only god knows what the permissions are on that Service Account :a2m: :aaa:

Thanks Ants
May 21, 2004

#essereFerrari


Enterprise Admin to lookup user permissions

Defenestrategy
Oct 24, 2010

Anyone have an idea of how much full time IT staff you would ideally have for a company of 50/100/500/1000 people?

Like if I said, there are only two full time IT people, a senior and an entry level dude, for a company of say one hundred people with responsibility for all systems, AV, VMs, Helpdesk poo poo, acquisitions, LDAP, etc, etc would that be weird/common/ideal?

Tetramin
Apr 1, 2006

I'ma buck you up.

Defenestrategy posted:

Anyone have an idea of how much full time IT staff you would ideally have for a company of 50/100/500/1000 people?

Like if I said, there are only two full time IT people, a senior and an entry level dude, for a company of say one hundred people with responsibility for all systems, AV, VMs, Helpdesk poo poo, acquisitions, LDAP, etc, etc would that be weird/common/ideal?

We have 3 service desk, 3 sysadmins, and 2 network admins for a 3k+ company lol. Kill me.

Your scenario sounds pretty bad. I would at least want a dedicated service desk person for triage and handling the silly stuff that comes inn

Defenestrategy
Oct 24, 2010

Tetramin posted:


Your scenario sounds pretty bad. I would at least want a dedicated service desk person for triage and handling the silly stuff that comes inn

We're a tech company so our users can pretty much handle the silly silly poo poo except for HR who can barely handle onboarding :smithicide:

jaegerx
Sep 10, 2012

Maybe this post will get me on your ignore list!


Omg mobile for jira is the best app ever.

Tetramin
Apr 1, 2006

I'ma buck you up.
I just did a pretty big Cisco phone deployment for one of our recently bought locations. Pretty much everybody there secretly resented us buying them out and I feel pretty bad coming in and forcing them to change, even though their phone system was about 25 years old and getting them on jabber and ip phones is gonna be a huge upgrade. Just felt a lot of sympathy for the dinosaurs who couldn’t wrap their head around things like dialing before you pick up the handset.

At least it was in Colorado so I got to get loving ripped at the hotel every night I was out there

Internet Explorer
Jun 1, 2005





Defenestrategy posted:

Anyone have an idea of how much full time IT staff you would ideally have for a company of 50/100/500/1000 people?

Like if I said, there are only two full time IT people, a senior and an entry level dude, for a company of say one hundred people with responsibility for all systems, AV, VMs, Helpdesk poo poo, acquisitions, LDAP, etc, etc would that be weird/common/ideal?

We have two people at my company of ~90, and it is a law firm so the users require a pretty high amount of hand-holding. That being said we do non-persistent VDIs and I think we get relatively few tickets because of it. I'm not going to say I'd turn down an extra person, but we do alright. We don't have a trainer and that has been our biggest problem for years. Also, management is listless, so that is also a point of frustration.

[Edit: I've worked at larger places and 2 per 100 people sounds about right for users who need hand-holding. As you get bigger I think there's some economy of scale going on, but it's always going to depend on your industry and what you are trying to do. If you've got in-house custom apps or are trying to go gung-ho on something like ServiceNow or a highly-customized main line of business app, then you're going to need more people per capita. There's not really a rule of thumb for IT:user ratio.]

Internet Explorer fucked around with this message at 03:58 on Feb 25, 2019

Neddy Seagoon
Oct 12, 2012

"Hi Everybody!"

angry armadillo posted:

I have an interview this week and one of the things on the job spec was knowledge of the software development life cycle

I’m good to go on the other 99% of the spec but I have minimal exposure to working on dev projects

Obviously I’ve done a bit of research and things look fairly logical but any top tips or good reading anyone can pass on would be appreciated?

I’m looking at a project manager role for context

Based on observations in these threads;

Design
Testing
Evaluation
Management's input
Heavy drinking
Re-design
Testing
Evaluation
Management's input
Heavy drinking
Change the colour of the menu background
Testing
Try not to murder sales team promising nonexistent features
Realize you're out of liquor
Bury bodies of sales team and manager in landfill
Testing
Release

Sepist
Dec 26, 2005

FUCK BITCHES, ROUTE PACKETS

Gravy Boat 2k
I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true :ohdear:

Virigoth
Apr 28, 2009

Corona rules everything around me
C.R.E.A.M. get the virus
In the ICU y'all......



Sepist posted:

I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true :ohdear:

:yotj:

MC Fruit Stripe
Nov 26, 2002

around and around we go
Yyaaaaayyyyyy!!!!!!

The Iron Rose
May 12, 2012

:minnie: Cat Army :minnie:

Sepist posted:

I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true :ohdear:

Congratulations!

Sefal
Nov 8, 2011
Fun Shoe

Sepist posted:

I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true :ohdear:

Congratulations!!
:yotj:

Docjowles
Apr 9, 2009

Congrats man :toot:

LochNessMonster
Feb 3, 2005

I need about three fitty


Congratulations!

Japanese Dating Sim
Nov 12, 2003

hehe
Lipstick Apathy

Sepist posted:

I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true :ohdear:

:)

CLAM DOWN
Feb 13, 2007




Sepist posted:

I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true :ohdear:

My condolences

Bonzo
Mar 11, 2004

Just like Mama used to make it!
How is it that companies have no issues rolling out Windows/Office Suite upgrades and quarterly updates but asking them to apply a patch to an Enterprise application practically involves begging?

Vulture Culture
Jul 14, 2003

I was never enjoying it. I only eat it for the nutrients.

Sepist posted:

I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true :ohdear:
If you previously thought you were good at time management, you're going to learn really quickly what you're actually capable of

Sickening
Jul 16, 2007

Black summer was the best summer.

Bonzo posted:

How is it that companies have no issues rolling out Windows/Office Suite upgrades and quarterly updates but asking them to apply a patch to an Enterprise application practically involves begging?

If its only a security concern, I don't let it bother me. If leaders aren't on board with patching servers/services, then just add it to the current accepted risk list. I also make that list highly available. Anything in my reports to leadership will display it somewhere in bright red and it eventually bothers people enough to help move things forward. If the communication of risk just lives in someones inbox or just verbally communicated, its easy to ignore.

I send a report weekly of my teams active projects and progress to management. The current issues section (generally where I am waiting on other teams to resolve an issue) will always have the current accepted risk section. Everything I put there is meant to be embarrassing to look at.

Sepist
Dec 26, 2005

FUCK BITCHES, ROUTE PACKETS

Gravy Boat 2k

Vulture Culture posted:

If you previously thought you were good at time management, you're going to learn really quickly what you're actually capable of

Can I put my upgraded time management skills on my resume?

ChubbyThePhat
Dec 22, 2006

Who nico nico needs anyone else
What if you find out they're so much worse than you were selling?

Time_pants
Jun 25, 2012

Now sauntering to the ring, please welcome the lackadaisical style of the man who is always doing something...

I am trying to get into networking, and I'm looking for a primer on the absolute basics (which is where I'm starting from). Assume zero knowledge other than what is taught as part of the A+ certification. Is there an online resource out there that covers the beginner level in preparation for N+?

Adbot
ADBOT LOVES YOU

Bonzo
Mar 11, 2004

Just like Mama used to make it!

Time_pants posted:

I am trying to get into networking, and I'm looking for a primer on the absolute basics (which is where I'm starting from). Assume zero knowledge other than what is taught as part of the A+ certification. Is there an online resource out there that covers the beginner level in preparation for N+?

Psssst have a look at https://forums.somethingawful.com/showthread.php?threadid=3521165

https://www.professormesser.com/ is probably the most popular. Mike Myers (not the Wayne's World guy) has a series over on udemy which is probably $20 on sale right now.

These classes will assume you know what things like IP addresses, servers, and routers are. Like can you tell the difference between the three? Yes? Then you should be ok.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply