|
How do I communicate to the business they need to stop forking over half-million dollar checks to InfoSec consultants?
|
# ? Feb 24, 2019 22:44 |
|
|
# ? Mar 28, 2024 12:28 |
|
Tab8715 posted:So, Tab8715 posted:How do I communicate to the business they need to stop forking over half-million dollar checks to InfoSec consultants? These two statements one after the other few like there is some context missing.
|
# ? Feb 24, 2019 22:48 |
|
My customers would rather listen to some Infosec guy trying to sell them whatever fancy wizzbang product/service that gets you 1% closer to stopping a 0-day than hiring folks internally to maintain what we already have in place.
|
# ? Feb 24, 2019 22:56 |
|
I have an interview this week and one of the things on the job spec was knowledge of the software development life cycle I’m good to go on the other 99% of the spec but I have minimal exposure to working on dev projects Obviously I’ve done a bit of research and things look fairly logical but any top tips or good reading anyone can pass on would be appreciated? I’m looking at a project manager role for context
|
# ? Feb 24, 2019 22:57 |
|
So we're not allowed to hire additional programmers on staff, but we're allowed to spend 250k on programming consultants. I really need to start my own consulting company and have my job hire my programmers.
|
# ? Feb 24, 2019 23:35 |
|
GreenNight posted:So we're not allowed to hire additional programmers on staff, but we're allowed to spend 250k on programming consultants. I really need to start my own consulting company and have my job hire my programmers. OpEx vs CapEx. I have been burned by that before.
|
# ? Feb 24, 2019 23:37 |
|
Wouldn't those both be OpEx?
|
# ? Feb 24, 2019 23:40 |
|
We'd hire the programmer at 80 grand and get 100% of his time. Now we spend 250k and maybe get 40% of his time. It's crazy.
|
# ? Feb 24, 2019 23:41 |
|
Tab8715 posted:My customers would rather listen to some Infosec guy trying to sell them whatever fancy wizzbang product/service that gets you 1% closer to stopping a 0-day than hiring folks internally to maintain what we already have in place. Try a listicle. "Nine security procedures that could save your network!" "Five easy steps to help you avoid bankrupting GPNS fines!"
|
# ? Feb 24, 2019 23:48 |
|
lampey posted:Yes it is likely that focusing on patching, best practices for network design, following least privilege principles, auditing current permissions, and monitoring for all of the above to ensure it doesn't change is a better use of your time. You are 1000x more likely to have a problem because a server has 3389 exposed to the internet and you have a weak administrator account password with the default name. Or a user downloaded malware that takes advantage of a vulnerability that should have been patched a year ago.
|
# ? Feb 24, 2019 23:58 |
|
Thanks Ants posted:Wouldn't those both be OpEx? Nope. At least not for us. Contractors were lumped into CapEx. OpEx for employees was always calculated for current staffing, with overage baked in for predicted raises, promotions and bonuses. The only way to convince them to increase permanent head-count was to submit the request prior to the annual budget meetings, even though you may not know ahead of time if you need it or not. Oh, and requesting an increase in OpEx and not using it makes it more likely that future requests will be denied. It's not like that anymore (by that I mean the requesting additional FT people), but god drat there was almost a revolt in my team a few years ago because of this.
|
# ? Feb 25, 2019 00:16 |
|
Some companies are so incredibly badly run The idea that it's better to spend more for a lower quality outcome because somebody doesn't want to have a talk about a balance sheet will never stop being amazing.
|
# ? Feb 25, 2019 00:28 |
|
Thanks Ants posted:Some companies are so incredibly badly run Amazing is not quite the word I would use.
|
# ? Feb 25, 2019 00:32 |
|
lampey posted:Yes it is likely that focusing on patching, best practices for network design, following least privilege principles, auditing current permissions, and monitoring for all of the above to ensure it doesn't change is a better use of your time. You are 1000x more likely to have a problem because a server has 3389 exposed to the internet and you have a weak administrator account password with the default name. Or a user downloaded malware that takes advantage of a vulnerability that should have been patched a year ago. I tell people to pretend that the attackers are already in the network so don't do stupid poo poo and allow them further access. Tab8715 posted:How do I communicate to the business they need to stop forking over half-million dollar checks to InfoSec consultants? I'm on a security review team that deals with requests from customers that send us their security audits about our software. We get these multiple page reports followed by stern emails from C levels about how these issues need to be addressed ASAP and we need the entire Dev team on a conference call 8am Monday and we'd better have a drat plan! With few exceptions nearly every report gets sent back pointing out to them that they are running out of maintenance software (most cases they are 3 - 5 years out of date) and need to update, or they need to patch and harden their servers. The thing is that when you buy our poo poo, we give you guides for server/database hardening and even provide a chapter on it in our online and onsite training. So we kinda get a kick out of people spending 6 or 7 figures to be told to just RTFM.
|
# ? Feb 25, 2019 01:25 |
|
Che Delilas posted:Try a listicle. "Nine security procedures that could save your network!" "Five easy steps to help you avoid bankrupting GPNS fines!" If I could put this on Airport Lounge advertisements, that might just work.
|
# ? Feb 25, 2019 01:31 |
|
Bonzo posted:I'm on a security review team that deals with requests from customers that send us their security audits about our software. We get these multiple page reports followed by stern emails from C levels about how these issues need to be addressed ASAP and we need the entire Dev team on a conference call 8am Monday and we'd better have a drat plan! In some ways, I do see how it's easier to simply throw money at a vendor to install some fancy new security appliance than it is to try and figure out IT Debt. Only god knows what the permissions are on that Service Account
|
# ? Feb 25, 2019 01:36 |
|
Enterprise Admin to lookup user permissions
|
# ? Feb 25, 2019 02:10 |
|
Anyone have an idea of how much full time IT staff you would ideally have for a company of 50/100/500/1000 people? Like if I said, there are only two full time IT people, a senior and an entry level dude, for a company of say one hundred people with responsibility for all systems, AV, VMs, Helpdesk poo poo, acquisitions, LDAP, etc, etc would that be weird/common/ideal?
|
# ? Feb 25, 2019 03:11 |
|
Defenestrategy posted:Anyone have an idea of how much full time IT staff you would ideally have for a company of 50/100/500/1000 people? We have 3 service desk, 3 sysadmins, and 2 network admins for a 3k+ company lol. Kill me. Your scenario sounds pretty bad. I would at least want a dedicated service desk person for triage and handling the silly stuff that comes inn
|
# ? Feb 25, 2019 03:20 |
|
Tetramin posted:
We're a tech company so our users can pretty much handle the silly silly poo poo except for HR who can barely handle onboarding
|
# ? Feb 25, 2019 03:25 |
|
Omg mobile for jira is the best app ever.
|
# ? Feb 25, 2019 03:28 |
|
I just did a pretty big Cisco phone deployment for one of our recently bought locations. Pretty much everybody there secretly resented us buying them out and I feel pretty bad coming in and forcing them to change, even though their phone system was about 25 years old and getting them on jabber and ip phones is gonna be a huge upgrade. Just felt a lot of sympathy for the dinosaurs who couldn’t wrap their head around things like dialing before you pick up the handset. At least it was in Colorado so I got to get loving ripped at the hotel every night I was out there
|
# ? Feb 25, 2019 03:33 |
|
Defenestrategy posted:Anyone have an idea of how much full time IT staff you would ideally have for a company of 50/100/500/1000 people? We have two people at my company of ~90, and it is a law firm so the users require a pretty high amount of hand-holding. That being said we do non-persistent VDIs and I think we get relatively few tickets because of it. I'm not going to say I'd turn down an extra person, but we do alright. We don't have a trainer and that has been our biggest problem for years. Also, management is listless, so that is also a point of frustration. [Edit: I've worked at larger places and 2 per 100 people sounds about right for users who need hand-holding. As you get bigger I think there's some economy of scale going on, but it's always going to depend on your industry and what you are trying to do. If you've got in-house custom apps or are trying to go gung-ho on something like ServiceNow or a highly-customized main line of business app, then you're going to need more people per capita. There's not really a rule of thumb for IT:user ratio.] Internet Explorer fucked around with this message at 03:58 on Feb 25, 2019 |
# ? Feb 25, 2019 03:47 |
|
angry armadillo posted:I have an interview this week and one of the things on the job spec was knowledge of the software development life cycle Based on observations in these threads; Design Testing Evaluation Management's input Heavy drinking Re-design Testing Evaluation Management's input Heavy drinking Change the colour of the menu background Testing Try not to murder sales team promising nonexistent features Realize you're out of liquor Bury bodies of sales team and manager in landfill Testing Release
|
# ? Feb 25, 2019 10:36 |
|
I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true
|
# ? Feb 25, 2019 12:04 |
|
Sepist posted:I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true
|
# ? Feb 25, 2019 12:07 |
|
Yyaaaaayyyyyy!!!!!!
|
# ? Feb 25, 2019 13:50 |
|
Sepist posted:I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true Congratulations!
|
# ? Feb 25, 2019 14:10 |
|
Sepist posted:I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true Congratulations!!
|
# ? Feb 25, 2019 14:15 |
|
Congrats man
|
# ? Feb 25, 2019 14:21 |
|
Congratulations!
|
# ? Feb 25, 2019 14:30 |
|
Sepist posted:I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true
|
# ? Feb 25, 2019 15:07 |
|
Sepist posted:I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true My condolences
|
# ? Feb 25, 2019 15:38 |
|
How is it that companies have no issues rolling out Windows/Office Suite upgrades and quarterly updates but asking them to apply a patch to an Enterprise application practically involves begging?
|
# ? Feb 25, 2019 15:42 |
|
Sepist posted:I always joke with coworkers that the only reason I am good at my job is I dont have kids to draw me away. Guess in 9 months were gonna find out if that's true
|
# ? Feb 25, 2019 15:56 |
|
Bonzo posted:How is it that companies have no issues rolling out Windows/Office Suite upgrades and quarterly updates but asking them to apply a patch to an Enterprise application practically involves begging? If its only a security concern, I don't let it bother me. If leaders aren't on board with patching servers/services, then just add it to the current accepted risk list. I also make that list highly available. Anything in my reports to leadership will display it somewhere in bright red and it eventually bothers people enough to help move things forward. If the communication of risk just lives in someones inbox or just verbally communicated, its easy to ignore. I send a report weekly of my teams active projects and progress to management. The current issues section (generally where I am waiting on other teams to resolve an issue) will always have the current accepted risk section. Everything I put there is meant to be embarrassing to look at.
|
# ? Feb 25, 2019 15:56 |
|
Vulture Culture posted:If you previously thought you were good at time management, you're going to learn really quickly what you're actually capable of Can I put my upgraded time management skills on my resume?
|
# ? Feb 25, 2019 16:40 |
|
What if you find out they're so much worse than you were selling?
|
# ? Feb 25, 2019 19:24 |
|
I am trying to get into networking, and I'm looking for a primer on the absolute basics (which is where I'm starting from). Assume zero knowledge other than what is taught as part of the A+ certification. Is there an online resource out there that covers the beginner level in preparation for N+?
|
# ? Feb 25, 2019 19:34 |
|
|
# ? Mar 28, 2024 12:28 |
|
Time_pants posted:I am trying to get into networking, and I'm looking for a primer on the absolute basics (which is where I'm starting from). Assume zero knowledge other than what is taught as part of the A+ certification. Is there an online resource out there that covers the beginner level in preparation for N+? Psssst have a look at https://forums.somethingawful.com/showthread.php?threadid=3521165 https://www.professormesser.com/ is probably the most popular. Mike Myers (not the Wayne's World guy) has a series over on udemy which is probably $20 on sale right now. These classes will assume you know what things like IP addresses, servers, and routers are. Like can you tell the difference between the three? Yes? Then you should be ok.
|
# ? Feb 25, 2019 19:45 |