Last Updated on 2022-04-06 by Joop Beris
So what’s my day been like? Well, I’m glad you asked dear reader! Pull up a chair, pour your favourite alcoholic beverage and strap yourselves in. This ride is going to be hard and we don’t have any airbags! Airbags sound too much like risk management and who cares about that? Who cares about information security anyway?
So the day starts of pretty normal answering email. Not much of interest there. Some standard questions and some newsletters to catch up on. Oh, and the odd meeting invite that doesn’t say what the meeting is about, why I’ve been invited and what the fuck I’m supposed to do there. I don’t even respond to those any more. What is interesting though is what is not there. I was expecting some people to confirm a meeting that I invited them to. A meeting they said they’d attend. A meeting where we were going to talk about possible risks before a big software purchase. Well, I guess we won’t be having that meeting then. It’s not like I’m responsible for any fallout or anything (they are!). I’m sure it’ll be fine!
Suddenly, the phone rings. Turns out the person on the other end of the line thinks it might be time to talk about the information security aspects of a project that’s almost complete. Sure, mate. That’s when you think about information security, when everything’s almost finished and you’re out of time and out of budget. We’ll just slap a sticker on it that says “security by design”. If it’s a sparkly sticker, I’m sure everyone will believe you. Who cares about information security anyway?
Joy of joys! We learn that
manglement management approved the purchase of a brand spanking new cloud solution that’s going to house the personal information of a lot of people. But it’s okay because we signed their data protection agreement. Wait, what? Ah, never mind. At least it was cheap. It’s not like we have a legal obligation to protect personal information, is it? So it’s not that we might need to come up with some security requirements of our own, is it? Even if their encryption standards predate the internet, that’s probably nothing to worry about. Nah, it’ll be fine.
No downtime ever
And so we come almost to the end of my working day, dear reader. But before I can quit for the day, I just have one more meeting. A meeting where we’re actually going to talk about risks before buying some new software. Does this mean my day is going to end well after all? Will all the frustration and face-palming actually have been worth it? Guess again!
You see, now I get to explain to a group of managers the concepts of acceptable downtime and acceptable data loss. How long can a service be unavailable before it becomes unacceptable? Well, the answer is “never” of course. It has to work all the time. Never mind that the business keeps regular office hours and no one is going to notice an outage at 3:00 AM. Fuck man, even Google goes down from time to time but these guys can’t handle an outage of 4 hours?
How about acceptable data loss then? They look at me as if I’m a total idiot. Of course there’s no such thing as acceptable data loss. Not even in a worst case scenario. They can’t lose a single byte of information. At this point I bring up that even if a potential hosting partner is going to agree to such demands, the price will be astronomical and even then there’s no guarantee. Again, the looks from across the table are of total confusion. Of course they don’t want to pay a lot of money. What am I, stupid?
Even my usual car analogy isn’t of any help here because everybody knows that IT is nothing like cars. I clearly don’t know what I’m talking about. And yes, what do I know? It’s not like I do this sort of thing for a living. Except I do! Ah never mind, who cares about information security anyway?
Time for my medicine
So you see, dear reader: when you work in information security your use of alcohol is not recreational. It’s medicinal. And now, it’s time for my medicine.
Anyway, that’s all I got time for today. Go away now!
I apologize for the departure from my usual style. This “drunken” rant was inspired by author and YouTube film critic “The Critical Drinker” (a.k.a. Will Jordan). I aimed to copy his style as a tribute because I enjoy his stuff. Thanks for the insights and entertainment, Drinker!
So rest assured that this was a drunken rant and none of this stuff actually happened. Well, I suppose for legal reasons I should say that it was all a fantasy brought on by too much alcohol.