10x Rolling Eyes

I was wondering this morning if I could build a list of 10 lies bullshits InfoSec “professionals” and C-Levels make up to use as an excuse to their security decisions. Let’s see:

1 – “There is a risk in this project, but I don’t have time to explain it to you in details”;

2 – “Users productivity is an InfoSec concern, so we need to monitor how much time each one is spending on Internet browsing”;

3 – “There is a norm against this” (but if you push them to see it, you will eventually hear they are still writing it to be published);

4 – “There are 415 high vulnerabilities related to this software and they are all relevant in our environment, according to our specialists” (you mean, according to your McAfee Vulnerability Scanner?);

5 – “We must be involved in every single project and acquisition, but we can’t take ownership of anything”;

6 – “If we have ZERO in any of our security measures, we need to check it again. Showing issues is important to make the board realize how important is our work”;

7 – “I can’t pay training sessions to my staff, or they will put it in their resumes and leave the company” (OK, I agree this is not an InfoSec exclusive line);

8 – “We need to keep the 27001 certification, so I cannot approve this project / software / printer supplier / risk exception / coffee brand / underwear colour”;

9 – “3-pass wipe? Are you insane? Data can be EASILY recovered. Make sure you do 27-pass, as DoD! And after wiping, pulverize it”;

10 – “Let’s investigate that employee, because the company needs some excuse to fire him”.