Audits and self-promotion

"My policy is me" -it sounds like Obama, but the words came from an operations VP for a major health care group responding to concerns about an audit his people can't pass.

I talked to this guy last week, lets call him Sherriff in deference to the character on CSI Las vegas, who's facing an information security audit against a system built entirely on Wintel. "Sherriff", I said, "why aren't you passing bricks over this? I mean, you guys have no chance of passing an audit - your IT people can't even count the PCs you own, never mind account for the data on your laptops."

"I know we're vulnerable", he said, "but the auditors are as much captives to this crap as we are - and, anyway, their client's the government and they're as deeply into this [deleted] as anyone else. You watch, they'll send over some juniors, run up just enough billable hours, and then sign off on us just like our people had a clue - and they'll [deleted] smile doing it."

"Besides", he added, "my policy is me - and I'm not in the line of fire if some idiot over there gets it up enough to raise a delicately phrased management question or two - it's happy harry has his ass on the line, not me."

"My policy is me". Wow. My first thought was that he should be writing slogans for the Obama mob - and my second that his level of self-interested cynicism really ought to be indictable as dereliction of duty - but instead of saying anything of the kind, I asked the waitress for more coffee and reminded him that I used to work for his auditors.

"There's messaging," he said, "and then there's messaging."

I thought about that a bit, nodded a few times at whatever else he said, stuck him with the bill, and on reflection added "-30-" [ ~EOF] to my record on contacts with him.

NOTE: I'll be out of communications range for the next few days - Flake is minding the store, but he's a malamute and not that good at responding to written comments. I'll catch up Saturday.