|
|
|
|
|
|
by csydas
877 days ago
|
|
|
> An essential is to establish credibility: 'Leave it to me - stay off my turf - and it will get done.' When they say the VIP needs something, find out what they really need and deliver that with amazing promptness and reliability (i.e., no saying later, 'oh, I didn't think of that!'). Everyone will be happy and impressed. I do agree that this is necessary, but I would add that for more effective policy, there needs to be (semi-)public demonstrations of those with higher titles actively refusing excessive access rights beyond their scope so that everyone can see the commitment to the security practices. We started this in a previous org and it was as simple of statements as when someone offers to give additional access rights to someone who really doesn't need it, the someone declines with the reasons: - It's a security risk to give out too many permissions - [The someone] shouldn't have that access anyways, it should always be gated This made it a lot easier to talk VIPs/whatever out of their temporary obsession with higher privileges as there was just an established social norm that the right thing to do is not to seek more access rights than are absolutely needed. Along with a very strong enforcement of change management on access rights that required very publicly visible documentation for such changes, it just got a lot easier to make the social cost of persons wanting access rights they didn't need too expensive for the VIPs/whatever -- none of them wanted to be the person in the change management report that got flagged for requesting access for frivolous reasons. For a short time we even levied the results of phishing email test emails against such VIPs/whatever as a demonstration that they really do need restricted rights, though this was forced to stop as it was "too embarrassing" for some of the VIPs/whatevers who had a horrible track record with phishing emails. It's very simple to introduce, but enforcement just takes some time and a few potentially awkward conversations at first to prepare for the first "real fight" over access rights. |
|
|
Perhaps on HN there are lots of people getting that FAANG salary but I'm not one of them. I'm not going to sacrifice my sanity and health for standard industry pay. If they pay average that is what they get. I recommend more people do the same, its part of why everyone is going insane nowadays, popping pills, therapy. Because they are fearfully trying to do the job of 20 people.
>prepare for the first "real fight"
> talk VIPs/whatever out of their temporary obsession
F that to h3ll and back. Not my responsibility unless I'm getting paid. The world would be getting better not worse if more people actually fought for their sanity rather than doing work for free. Paid or having a seat at the table, meaning actually having equal authority to the big whigs making hamfisted decisions that they don't understand. Too many people are in charge that should not be. Let them burn.
> forced to stop as it was "too embarrassing"
Exactly my point.