What's a poor security guy to do?
I was talking to a good friend of mine tonight, a security manager, whose company is in the throes of going through a PCI audit. It appears that just as my friend warned his employer on numerous occasions, they are going to fail their audit miserably. I am somewhat familiar with this situation, as at StillSecure we have had several companies come to us after failing their audits and purchase all three of our products to help pass the next one. Lets face it companies don't care as much about being secure, just about passing their audit (that is another story and an ugly truth in security that we can discuss another time).
My question to my friend though was, how will this reflect on him. My friend said, hey worse comes to worse they can fire me. I think this would be highly unfair, as he has been warning them for months and they have refused to hire the people they need and buy the products they need to improve their security. However, my question went beyond his present job. As the security manager at his company, does the fact that they failed their audit come back to count against him when he goes to look for another job? How can he prove to another potential employer that he tried to get them to provide the resources they need? Should a security manager walk off the job when his employer does not provide the minimum for what is necessary? Security is always a battle for resources and budget, but when does the security guy's reputation demand he walk? I am not sure myself, but am interested in your opinions. Please comment!
Comments