[mikester]

Seriously - don't mean to hi-jack but I'm at my wit's end (in all fairness it was a short trip).

I, like you am just the network engineer. I happen to have held a few security positions before I went to this current job which was supposed to be a straight network job.

I honestly wasn't really sure I wanted to do security anymore because by and large companies don't want to do it and I was tired of fighting for something companies saw as purely an expense with zero return.

If you haven't had a breach and ended up in the news then you don't need to do any serious security. If you haven't had your entire windows infrastructure compromised by some stupid worm - you don't need security.

In November they laid off our IT Security Director. He wasn't stupid but the job he was doing wasn't very successful. I'm not sure it was his fault but if he had a few more technical minds around him rather than the 'analysts' he would have had some problems solved.

They haven't replaced him and don't seem to intend to.

I want the job - but let me be clear: I do not want that job.

Now we're down to 2 'security' personnel, a technical analyst who means well and tries but is spread so thin he has no chance for success. And a 'manager' (with no reports) who tries desperately to get anyone else to manage the security project she needs done (rather than simply managing the project herself to ensure it does get the proper attention). She's nice, I like her but she clearly doesn't want to do the job she has. They both report to our CTO who doesn't seem to want to have anything to do with them.

I'm the Network Engineer, I 'know' firewalls. I 'know' VPN, I know host based firewalls and I am reasonably good with IDS/IPS and create secure environments using standard Cisco routers and switches. I know more than routers, I am competent in systems - more so in the *NIX environment than windows but I can hold my own.

We are in the process of building our security project plans this year - the CTO has a bi-weekly meeting with his security duo on Monday. It's supposed to be an hour. I spend the better part of a couple of days working up reasonably simple slides for a couple of projects we need to do this year. I Work up the numbers, the hardware and hand it to the 'IT Security Manager'.

The meeting is supposed to be an hour, I get a message from her later in the day to call her back as the meeting was only 15 minutes and she wasn't sure she was able to give him all the information. As I finish listening to the message, the CTO walks into my cube and asks me if I have a minute to go over a the project plans I've been doing.

So we go over the 4 project line items we need to do and he really wants to cut as much as he can. It's irritating but I understand where he is coming from - the only return from this is staying out of the paper in a C*O's eyes. Right now, publicity like this to our very public company would only add insult to injury. I go over the slides with him, the spreadsheets, the money and the risk as well as what we can do as a compensating control in lieu of NOT spending this money or some of it. He spends an hour with me instead of his security team. I think he walked away thinking I single handedly saved him $600k from his budget and I think I got most of what I want to get done. We'll see. Quarterly results are announced on Monday and I'm fully expecting they are just going to shut the IT department down and start stringing up cups between buildings.

I've been trying to get a series of firewalls in place with policies other than 'permit ip any any log' for the better part of 2 years.

I just needed to vent that I guess..

goosfrabaaaaa