Management: "Users are having massive problems"
Security: "okay, lets figure out why"
Figures out four separate things that are DEFINITELY causing problems, reports these four separate things.
Management: "So it's this one problem then"
Security AND Applications AND Desktop: "no, it's these four interrelated problems, and it only becomes visible when three of them are present."
Management: "OK, so it's this other problem then, we should remove that software"
Everyone Else: "No, it's not this other problem and removing the software isn't the solution. We HAVE a solution for this other problem"
Management: "Ok well... lets do what I said anyway"
Security: "That doesn't solve the real problem"
Management: "I don't beleve there is a "real" problem... it's just these things we have an easy solution for"
PROVES, beyond reasonable or unreasonable doubt, that there IS a real problem, that we know what it is, how to detect it, and how we have to deal with it.
Management: "Ok... I believe you... how do we fix it"
Security: "This is how we fix it. it is difficult and painful and will only MOSTLY fix the problem"
Management: "We can't do that"
Security: "Then we will keep having the problem"
Management: "So tell me what we can do to fix the problem"
Security: "I did... there isn't anything else we can do to fix the problem"
Management: "I don't believe you, get an outside expert"
Gets outside expert
Outside expert says the problem is the EXACT SAME THING as Security said.
Management: "So how do we fix it"
Outside expert says the EXACT SAME THING as Security said.
Security refrains from saying "I told you so", and instead says: "So, this is the problem, these are the issues it's related to, this is who it's impacting, this is how and why, these are the risks, these are the seven things we can do that can help it, this is the user impact of that, and this is the cost".
Management:"We can't do that... and you absolutely cannot say that in front of MANGEMENTS MANAGEMENT... I don't believe you, we aren't really having the problem you say we're having"
PROVES the problem AGAIN, with even more evidence
Lather, rinse, repeat
That has been my last three weeks
I should note, that this is a gross oversimplification; and that "Management" in this case isn't actually senior management, and it isn't everyone... it's some of the managers and leads of some of the other groups we interface with.
Over the past few weeks, I have had to prove, over and over again, that I know what I'm talking about, that it really is a problem, and that we really do need to fix it.. and I've explained at least a dozen times now the nature of the problem, and what our mitigation options are.
By the time I wrote this last Friday I was pretty damned irritated, and EXTREMELY frustrated and tired. I have been working 10-12 hour days plus 3 hours of commute, every day for more than three weeks, having to prove everything I say, every step along the way, for every new person that got involved etc... etc...
By Friday, I had pretty much had it up to... wherever...
I actually ended up raising my voice in frustration earlier in the day (I apologized right after) with someone who was being particularly obstinate in insisting that I was wrong, and that my proof was invalid.
I don't even know what sr. management has been told at this point. I'm pretty sure that if they get good information to make a decision from, they'll make a good decision... it's getting there that has been the problem.