Feeds

BOFH: This buck's for you

Psst, pass it on

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Episode 2

“What’s this?” the Boss snaps, pushing several sheets of paper over the desk at me in an annoyed manner.

“Ah! Memo two thousand and eleven dash one dash one,” I reply, “workplace resiliency.”

“Yes, I can read the title, but what is it?”

“It’s a memo outlining the things we should be addressing for systems and networks resiliency.”

“And you expect me to take this seriously?”

“Of course. You asked us to identify areas of risk in the company so we worked through the issues at length over the past two days and considered the changes we might make to ensure the company is protected both from disaster and accident.”

Which is a complete lie. In actual fact we hastily cobbled together a variety of randomly selected Google documents about disaster planning, disaster recovery into a semi-coherent investment guide for senior management. Then went to the pub for two days…

…Earlier in the week…

“I don’t get it,” the PFY says. “We’re recommending dual UPS units with dual generators, fed from dual supply circuits via dual redundant switching? It’d cost millions!!!”

“Probably not millions, but certainly more than the company would want to spend,” I reply. “I’ve not even got to the terabit backup network linking us to our hot site.”

“They’ll never go for it!!!”

“Of course they won’t – that’s the point.”

“What is?” the PFY asks.

“It’s the Big Buck Pass,” I sigh. “The insurance company wants to reduce their risk so they’ve upped the premiums claiming we don’t have a policy document which outlines how we mitigate risk - using this year’s terminology. The auditors – who should have seen this coming – raise it with the board as an ‘audit issue’ a couple of nanoseconds before the insurance bill comes in. The board raises the audit issue with the CEO, the CEO passes the buck to senior management, senior management pass it to middle management, middle management to line management and line management to us.”

“Yes, I get all that, but what are we doing?”

“We’re pushing the risk back up the food chain by suggesting the most expensive solution possible.”

“Why?”

“Imagine we have no offsite backups but decide we’d get by if you took a portable drive home every night.”

“We don’t have any offsite backups. And the only hard drive I take home is full of completed torrents!”

“That’s why I said ‘Imagine’. Now if the drive fails when the company really needs it we’ll be held responsible for not protecting the data to the best of our ability. If, however, we recommend an offsite disk storage solution that’s outside of our spending authority then the Boss has to authorise it before we can proceed. When he says no then we’re in the clear – buck shifted.”

“You’re losing me…” the PFY says.

“The Secret to the Big Buck Pass,” I say, “is in recommending a solution that someone further up the chain will say NO to. So the more outrageous the solution the better, because as it gets more expensive it needs to go further up the food chain to get approved or denied. Then, when disaster strikes we’ll say we always knew this might happen and had recommended a good solution but it got turned down. Buck passed.”

“So why don’t we just recommend the offsite disk storage idea?”

“It’s not expensive enough. See, if it’s something we can afford they might agree to it - and undoubtedly axe part of our ever decreasing operational budget to pay for. If, however, it’s something ridiculous that we couldn’t possibly afford it’ll get vetoed by someone up the food chain and we just keep the veto memo for... insurance… purposes.”

“And they wouldn’t try and implement it over a couple of years – part this year and part next?”

“Not if it’s ridiculously expensive,” I say.

“But won’t the Boss just say we have to do something cheaper?”

“He would – but to counter that we embellish the risk with fake numbers – like the 103 reported cases of UK companies losing over a million quid as the result of poorly backed up data in 2010 alone. And those are just the reported cases!!”

“And the real number?”

“Who cares? The Boss will hear “103” and “a million quid” and crap himself. By the time it gets to the IT Director it’ll be 153 and 2 million. But he’ll change “reported” to “apparently reported” just in case the IT Director checks.”

“Will he?”

“Course he won’t. IT Directors check numbers for accuracy about as often as they check their faeces for fibre – i.e. only when it’s in their face. He’ll pass it up and it’ll get axed somewhere below the CEO.”

“And this will work?”

“Sure, everyone does it!”

“Like when?”

“Like when the HR person was complaining about how much liability the company was carrying from accumulated leave from the Beancounters who never take leave. And someone suggested pushing the worst offenders down the lift shaft.”

“And were you the one who suggested pushing them down the lift shaft?”

“Hell, I was the one who pushed them down the lift shaft! But who could have known their grandparented contract gave them unlimited sick leave. So then someone suggested maybe the company should stop paying for their life support and maybe the problem would solve itself...”

“And that someone was you?”

“It might have been.”

“This has stopped being about passing the buck and just become a brag session hasn’t it?” the PFY asks unkindly.

“I’m trying to teach you about the machinations of a large company!” I counter. “Machinations that take years to learn. Like the time the Boss vetoed a workplace resiliency proposal and someone suggested we take him to the pub, feed him absinthe till he thinks he’s Conan the Barbarian, hand him a sword and let him out of the lift at the Beancounter’s floor.”

“I think I’ve seen that movie!” the PFY says.

“How did it end?”

Internet Security Threat Report 2014

More from The Register

next story
Docker's app containers are coming to Windows Server, says Microsoft
MS chases app deployment speeds already enjoyed by Linux devs
IBM storage revenues sink: 'We are disappointed,' says CEO
Time to put the storage biz up for sale?
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Windows 10: Forget Cloudobile, put Security and Privacy First
But - dammit - It would be insane to say 'don't collect, because NSA'
Symantec backs out of Backup Exec: Plans to can appliance in Jan
Will still provide support to existing customers
VMware's tool to harden virtual networks: a spreadsheet
NSX security guide lands in intriguing format
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.