Announcements
Voting is now open!
Members, make your selections in the annual (ISC)² Board of Directors election. Vote Now! Voting is open until Sept. 22.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Steve-Wilme
Advocate I

Re: On the other side of privilege removal

All those things were in place, however our new CIO took the unfortunate view that everything to do with security was "absolutely delusional" and could therefore simply be ignored; a bit like staying within the IT budget (also ignored) and regulatory compliance (also ignored).  When you get to the point where half the IT department leaves in a 3 month period and isn't replaced due to a CIO, the problem probably is beyond fixing.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CISOScott
Community Champion

Re: On the other side of privilege removal

When you have a toxic CIO like that, you need to cover your rear. That is why I like to send emails that "recap our earlier conversation"  to make sure I "understood your intent".  Then if they try to throw it back in your face I can refer to our previous conversation that "I emailed you about". As the system owner the CIO has every right to "accept the risk" of any decision they want to make and as the CISO I have the right and responsibility to ensure that any "risk they are willing to accept" is fully documented in a risk acceptance document. It is also my duty to fully inform the CIO/Senior management of the risks of their decisions and if they (CIO) or senior management is willing to accept the known risks I have presented to them, I document it and get them to sign it. I make sure I have emailed it to them to sign and return to me. If they refuse to sign it, I send a couple of follow up emails so that I have it documented that I made every reasonable attempt to get them to sign it. That way I am as protected as I can be.

 

If senior management is OK with a toxic CIO, I then ensure my resume is up to date and I start looking for jobs with intense focus.

Steve-Wilme
Advocate I

Re: On the other side of privilege removal

After 9 months of doing as you suggested I took the latter option and found another job.  Once you've lost a critical mass of staff you're not going to make headway anyhow.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS