Hello everyone,
I believe this is not the first time we came across to this topic. Due to Coronavirus outbreak, leadership and C suite is trying harder to satisfy business needs in order to keep things running and money flow.
Well at the end is our job as SSCP Practitioner to put in place what C suite has putted on paper.
What is your opinion for video call group messaging as an alternative?
I think most of you have heard now about ZOOM and theirs security and privacy problems are snowballing. How we can mitigate them? I’m sure Even Zoom himself cannot believe his eyes and ears that this day would come and his name would be so popular 😞
As a SSCP or CISSP you must balance the business' need to stay in business with security responsibilities. If you are rigid and say "NO! ZOOM is too risky for business and you cannot use it!" AND you do not provide an alternative or let them know you are actively looking for an alternative, then you will either lose the business' confidence in you and your security "opinions" or you may lose your job.
We had the exact same scenario come up. We don't normally use Zoom but an important client of ours did and requested a meeting using it. I did my assessment of Zoom, as you have, and noticed a lot of the same issues you mentioned. I examined what information would be presented/discussed at this meeting and decided it would be OK for this meeting to happen. I explained to the chief executive that I had some security concerns with Zoom but I thought this meeting (which appeared on very short notice) would be OK, but I didn't recommend it as our long term solution. I recommended Microsoft Teams (which would be a new venture for us) or the continued use of our current teleconferencing method until we could agree on a long-term solution.
I recognized that this new shift to major forced teleworking would present some issues but also some opportunities to push some of the security and IT improvements I was wanting the company to undertake. As a SSCP/CISSP you have to look at the situation, evaluate for the risks, look for potential solutions and then present all of this to senior management for their ultimate decision. You will be a good SSCP/CISSP if all you do is warn about risks and stop there. You will become an excellent SSCP/CISSP if you are also able to provide guidance or solutions to the problems (risks) you are presenting. So present your concerns but also try to help them find a solution. Doing so will improve their opinion of you and enhance your career.
@CISOScott wrote:You will become an excellent SSCP/CISSP if you are also able to provide guidance or solutions to the problems (risks) you are presenting. So present your concerns but also try to help them find a solution. Doing so will improve their opinion of you and enhance your career.
Great advise, even outside of I.T. For years, my lunch bunch has had the rule that one could not veto a restaurant suggestion without throwing another into the hat.