One company I worked at had a sad data center failure, and I’m not talking a power outage or a fire or theft.
When I arrived at this company, it had no security department. Few security processes. Little security.
And the company also made two interesting mistakes when it hired me.
First, the week before they hired me, the help desk called me 3 different times to ask for my complete social security number. They said that they needed it to set up my laptop.
I asked the caller if they knew the position that I was hired for.
I told him: head of information security.
“That’s nice,” the caller said, and then he persisted: “Can I get your social security number? (You just can’t make this stuff up.)
I asked the guy what his name was, and he told me. I told him that I would not provide it, but I still expected a laptop to be ready for me.
Later that week, two of his colleagues called me and tried to convince me to provide it.
I thought to myself: while they don’t have much of a security and compliance mindset, at least they really try to follow procedures.
I never did give my SSN to them.
And yet, my laptop was ready when I arrived.
This new job was full of opportunities and was going to be an exciting ride.
The second serious mistake they made when they hired me is that they didn’t give me Internet access for 3 weeks.
Isn’t that funny? The security guy is not granted access to the Internet (that’s another story).
So, being the security guy (armed with a GOOJ card) with nothing to do–remember, they had no security culture or processes–I decided to hack the internal network and walk around a lot to see what kind of trouble I could find.
One day, I was shown the outside of the data center (yeah, I’m getting to the point, finally). I hadn’t received access yet, and they wouldn’t let me in. The conversation that day went something like this….
“And this is our data center,” my tour guide, who was from the Facilities department, said. He motioned with a wave of his hand at a locked door and a wall full of smaller doors.
“The data center has an outer area, which is immediately behind those doors, and an inner area where the hardware lives.”
“What are those smaller, clear doors for?” I asked, noting that they had knobs, but no locks. Inside each glass door was one or more shelves. Some shelves had stacks of paper on them, but most were empty. Some of the doors were quite a bit bigger than others, but all of them shorter than a people door.
“Each department has its own shelf for mainframe printouts. The data center guy collects the printouts and puts them on the appropriate shelves from inside the data center area. You just open your door and grab your reports.”
“The doors aren’t labeled,” I protested. “What prevents someone from accidentally, or on purpose, grabbing the wrong reports?”
“You look at the banner on the top page, so you’ll know if it isn’t yours,” my guide said, clearly irritated.
“Some of these doors are pretty big,” I replied, as I opened one of the larger doors, removed the shelf, and crawled through it.
“Hey, that’s a secured area,” my guide exclaimed. “You can’t go in there.”
“I know, but I just did.” I grinned at my guide through one of the windows. He moving toward the people door with his badge ready to swipe it at the reader.
Walking across the room, I stopped and said, “This looks like a check printer. And a stream of blank checks ready to be feed into the printer.”
My guide finally reached me and insisted I leave the area.
“Nope,” I said. “I snuck in here fair and square.”
“I’ll have to call security if you don’t come with me,” my tour guide threatened.
“I’m already here. My name is Mack. Nice to meet you.”
Continued in: Going Behind Door #2
2 responses to “Data Center Failure”
Sometimes it is important to demonstrate weaknesses. Were there things in the culture that lead you to believe that this approach would get you the most immediate return? Just curious.
I wasn’t sure what the culture was at this point; I was too new. My approach at this company was, if I can do it, so can anyone else.
Also, I have found that demonstrations are much more effective than memos, reports, or complaining. I let others tell the story about what happened, and let it spread though the grapevine Then I explained WHY it happened and what we could do about it.
What I didn’t share was that I was hired at this company precisely because it needed to develop a security culture. My management knew I was going to create make a lot of people uncomfortable. I just thought this was a creative way of doing it.
In the end, it turned out to be rather effective. It didn’t take long for people to shout, “Mack’s on the floor, heads up!” when I appeared. Eventually, people started policing themselves as they began to understand the risks and how their lack of security impacted THEM, not just their customers.
What other approaches would you have tried?