I have just came out from a long OTy[1] weekend, and when I said long I meant a 19-hour rally with 3 hours of sleep. All because the project I am with has once again been selected for a security audit and an internal audit will be conducted today.

The unplanned rally is caused by the short notice given to the project and the not-so-good state of our security documentation. Before somebody starts that it is our fault for not updating the security docs as we go along then please give us a charge number for that kind of work before you start pointing fingers. In typical corporate wheedling and cajoling, they (meaning the powers that be, or the power trippers as i call them) say that these should be part of the “continuous improvement” (CI) budget of the project. REALITY CHECK: WHAT CI BUDGET? We are on a fixed time arrangement with the client and just trying telling the client that “we would allocate a portion of the time you bought to spend on security work that is not part of the contract you signed, and thank you for understanding.”. Couple this with the fact that we are running overbudget for the things that the client actually paid for! It doesn’t take a super sleuth to figure out that we are between a hard rock and a PHB.

To make matters worse, I am not satisfied with the output because we are tasked to churn out security documentations “aligned” with the corporate “version”. No thank you because

  • I don’t believe the return of investment on those documentations is significant.
  • The template documents provided are either not enough or an overkill.
  • The person who created those template documents should stop using PCP. Reformatting them to look professional entails too much work.I reserve the right to save my co-team members from the atrocities of using too much colors in a document, and loud ones at that.
  • If I am going to churn out security measures, then I will at least have the decency of believing those are practical and not just for show.

Why did I go through it? Because of pressure to pass the audit since the whole office accreditation can go up in smoke for failing the external auditors, and I don’t have the heart to add more stress on my manager. She already has enough problems on her plate regarding the project going over-budget and CMMi (yes, that effectively makes it a four-letter word) demands for full compliance.

19 hours and we aren’t even halfway the 100% completion mark. I know I told my manager that what we are targeting now is just damage control but it is really disheartening whenever I see the completion ratio for the project. And after that I also need to consider going back to reality that I am also over-budget on the client deliverable that they want me to submit by end of this month. 🙁

End of rant for now. I need to check what else I can finish before the internal audit today.

[1] OTy, n., Short for O-Thank you, the free version of overtime.

ciao!