Why Upper Management Doesn't "Get" IT Security 126
Schneier is reporting that the Department of Homeland Security has decided to delve into why upper management doesn't "get" IT security threats. The results aren't terribly surprising to those in the trenches, stating that most executives view security as something akin to facilities management. "Thankfully", the $495 report (if you aren't a "Conference Board associate") helps tell you how to handle the situation.
Does.... (Score:2)
For that matter, does anybody know how all the fire codes, building codes, and such are offered? They too cost in the hundreds of dollars, but they are obtainable for free. What happens is that the books are referenced in court documents, and those are to be made publicly. In essence, for free.
I wonder if the same could be done for this...
Re:Does.... (Score:4, Insightful)
We, the taxpayers have paid for this paper, yet we also must pay for copies of the very document we paid for to begin with.
That's what I dont like. Akin to double-taxation.
(from the BuyMe screen liknked from schneider...)
survey by The Conference Board (sponsored by the U.S. Dept. of Homeland Security)
Re: (Score:2)
You still have to pay for the book, heck the Author even makes a profit off it!
Tom
The difference... (Score:3, Insightful)
Re: (Score:2)
Hahahahaha cute. you thought the government was your representative. How naive, how cute...
In other news, taxation with representation, the new 2007 theme....
FDA approvals on medicines we actually need...
Welfare doled out in appropriate amounts with supervision...
Foreign policies that put you less at risk
Tom
Re: (Score:2, Offtopic)
The FDA will go through the process on anything that a company is willing to pay for the process on and is willing to go through all of the hassle of clinical trials. THe FDA does not decide what drugs are going to be put through the process, the drug companies do. In fact the FDA even has fast-track systems for things that are needed.
If the wrong things are c
Re: (Score:2)
Ross
Re: (Score:3, Funny)
Shouldn't do that, either. (Score:5, Insightful)
Sounds like a damn fine reason not to give people grants to write books then, unless they want to do so as U.S. Government employees, and allow the book to be a product of the United States Government (with their name on it, of course), and therefore in the Public Domain.
If public money is being used to fund the creation of something, the end product of that creation ought to be freely available to the public.
Do you think people would be quite so keen on funding the Smithsonian Institutions, if they charged admission fees? Probably not. I don't have any problem with the Smithsonian being publicly funded, in fact I think it's great; but making things halfway-publicly funded is just crappy, and generally gets the taxpayer less "bang for their buck" than if they just went all-in on half the number of projects, but funded them completely and 'owned' the results for the public, therefore making them free for anyone to enjoy.
Re: (Score:1)
Re: (Score:3, Informative)
For the govenment department it costs less for the report they wanted. So they saved the taxpayers money.
Re: (Score:2)
Re: Not "Double Taxation" (Score:1)
Then when you want a copy, they Print On Demand your copy, which is essentially a Materials charge. Just because you are paying two SETS of dollars doesn't mean you're getting double charged.
Re: (Score:2)
Re: (Score:2)
a. "That's ridiculous; there's no way that printing that book cost $1 a page!"
b. "That's ridiculous! I'm calling the Fraud, Waste, and Abuse Hotline, and going to make sure your books get audited!"
c. "Ah, yes
There are no wrong answers.
In Canuckistan, we pay for building codes (Score:2)
http://www.mah.gov.on.ca/userfiles/HTML/nts_1_274
Twice that it..
Re: (Score:1)
In Soviet Massachusetts... (Score:2)
They
because our auditors don't get it. (Score:5, Insightful)
Many of the upper management people I talk to know more about what we should be doing compared to what we are doing. The problem they have in overriding the auditors is the threat of the government and the shareholders. If they take the safe route the keep their jobs and stay out of jail. Actually the fear of the government is far worse that fearing the shareholders. (thanks to wonderful overreactions by Congress we get even more doing a whole lotta about nothing that ends up preventing us from doing what we should)
Re: (Score:2)
Re: (Score:2)
dumb morons of the 70's (Score:2, Insightful)
Not that hard (Score:5, Informative)
Lets try this. When you forget to lock your Lexus and it's not there when you are ready to go golfing, that sucks. Almost as much as when you go to use the server and some hackers are using it to joy ride the net and sell all your customer records while you are liable. But unlike the car, where you can buy a new one, it's a pain in the ass to buy a new company image.
Re: (Score:1)
A Lexus? Sheesh.
CC.
Re: (Score:2)
Actually, thats a great analogy.
We have transitioned from the industrial age to the information age, and the security will follow that transiti
Re: (Score:2)
And while you're busy working to rebuild your company image, you're unable to spend as much time on generating revenue, and your stock price is falling.
That'll make sure the execs and board members get it, too.
one change... (Score:2)
My only complaint about this analogy is that it blames hackers for the loss. I'd blame internal company employees, to make it both more realistic as well as highlight the complexities of IT security that make it different from facilities management.
Re: (Score:2)
That's a very good point. I'm not worried about someone external to the company breaking into my network. With all of the firewalls, IDS', multiple levels of anti-virus scanning and web filtering taking place, the odds of malicious code getting in are pretty slim. My biggest concern is the recently fired employee, or the better than t
Re: (Score:2)
Computer people don't "get" business (Score:5, Interesting)
As a manager, you have to understand that EVERYBODY is screaming at you about their particular area. The marketing people need a bigger budget. The maintenance people are wanting to upgrade this and that. The transportation people need new trucks. That's their job. It's a top manager's job to look at each of these recommendations, and prioritize them in a way that will do the best for the company.
Seems to me like this blog entry is just another example of IT people being too myopic to get any real handle on how a business is run. In case anybody is scratching their heads as to why IT people rarely climb up the executive ranks to manage large companies, this example illustrates that reason very well. (Usually, in large companies, the people running the show are from marketing or finance. Occasionally operations. Never from IT.)
Re: (Score:1, Insightful)
Don't get me wrong, I do think there's such a thing as overkill when it comes to security, but there are enough management types out there who don't pay
Re: (Score:3, Insightful)
Too many IT guys present proposals like
"We need the ACME 3000 discombobulator to prevent DOR attacks,with a TOC of only $30,000".
Instead we sould be saying
"Mr Rumsfeld these Denail Of Reality attacks may cost you
8% points at the polls we could prevent them for only $300,000".
See how much better it sounds.
Buy the "The Bullshit proposal language" (The boy cow book) from O'Really tommorow.
Re: (Score:3, Insightful)
Unless you have valuable products you are storing, most places' physical security begins and ends with deterrent and auditing. It's cheaper to put a single lock on the door and an alarm system that logs off site than it is to put in reinforced glass with bars and magnetic locks.
This is not the point of view you want to take with data security, which is the "product" that you are trying to protect.
Re: (Score:3, Informative)
Unless the company makes security software or hardware, it IS an expense. Computer security should be handled with the same priority as physical security (keeping facilities secure) and basic infrastructure (power, water, telephone, etc.).
Yeah, it's absolutely vital, and the results of a breach can be devastating.
Any CEO that spends an inordinate amount of time on computer security will, and should be fired.
Maybe this should be handled by the CTO or someone he manages? CEOs do vision, not operations
Re: (Score:2)
The trick to knowing whether or not it's absolutely vital (which it isn't, not in every case) is to calculate just how devastating a breach could be. That's how you decide how much time/effort/pay-grade to put into it. And sure, that's the CTO's job to determine, but the CEO needs to make sure that it's done, and depending on what the answer to the "How devastating?" question turns out to be, it may be a matter for his or her pers
Re: (Score:2)
You figure out the costs and that tells you what you can afford to spend in protection.
Yeah, it's opportunity cost, but you have to weigh the chances of a breach against the impact - it's hard to handle 'death of corp' as a cost. Of course, I do agree - proper IT security isn't that expensive, but it is pervasive. You need the common stuff like firewalls and passwords, but you also need to make sure people aren't running Kazaa on their desktops or running trojan elf bowling games while still allowing peo
Re: (Score:1)
Re:Computer people don't "get" business (Score:5, Funny)
I really am a little tired of hearing how IT does note generate any income!
Do the trucks you deliver your goods with "generate an income?"
The 8 Accounting servers go down for 24 hours, 15 Accountants can not do there job.
20 years ago the company had 50 Accountants doing the job that 15 now do with the aid of computers. I would see this as reducing company overhead and every time you reduce company overhead you increase profits thus providing an "Income."
The 4 Authentication servers go down for 24 hours and 5,250 people can not do there jobs.
5,250 people down for 24 hours (1 Day) is a lot of money (Millions) IT is generating an income by enabling everyone to do there job!
Although IT does not directly generate an income for a company it does not mean that it is a loss. It does not mean that the company could live with out the services that IT provides.
It is like saying the CEO, President, VP, etc do not generate an Income for the company and are just a big hole you through money into.
As to the topic of security, my favorite line has been "We will not be implementing security on the accounting servers. We do not want to make an A+ on SOX, we want to make a D and just get by. An A+ would be too expensive."
Re: (Score:2, Interesting)
Re: (Score:2)
So IT does not produce a tangible service? Like Accounting, File sharing, E-mail, etc.
I have been both VP and President of a multi-million dollar corporation. I understand the needs of the company and the Cost of doing business. I also understand that delivery of a product or service to the customer takes more than just handing them a product. The cos
Re: (Score:2)
I'm missing something. What did the CEO sell? And IT doesn't generate income, but it does generate profit. Profit is often more important. For a set income, appropriate IT can improve profit margins. That may be a net cost, but it is also a very real benefit.
Re: (Score:2)
,br>That is like saying the Mafia generate income, becuase if you don't pay them, everybody is too scared to go to work, and no money is generated.
Apart from that, I agree with you.
Re: (Score:1)
Re:Computer people don't "get" business (Score:5, Insightful)
Forget the $495, I'll tell you for free. You want a better chance at the funding, make the upward ladder understand the detrimental effect to the company and their profit if the the security is not in place. That means that you need to find the person in your group who can deliver the message in a nice brief way, using nice simple language that management understands, make sure you have urgency statements in the presentation, but don't be sensationalist, and the selling point is an assessment of the cost impact. The cost of developing security, verses loss of [fill in the blank]. And expect to get the funding in stages, in fact if you present a staged funding plan, it'll probably go down a lot better. Always remember, you don't hold the purse strings and those that do dislike being patronized or being made to look stupid (even though they may be).
Re: (Score:2)
1) The world needs more well trained and skilled CIOs.
2) The corporate boards need to empower and listen to their CIOs.
There is no reason Peon McJimmy from IT should be presenting a budget and implementation plan to a board. That's what the CIO is for, they have the knowledge, training, and experience to make that translation work well. Sure, the CIO may bring Peon McJimmy along to field any technical questions (the inevitable 'can we do [X]?'). But having a ne
Re: (Score:2)
Management wants someone in IT who can take care of the technical stuff. Managers usually also want explainations of where the money went in terms that make sense to them. They aren't tech experts. Most of them have no desire to be and don't want you trying to make them into one. They hired the IT staff to
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
While yes, upper management has to balance the needs of the company against the financial ability of the company. But at the same time you can't look solely at profit potential for investment. You must also look at risk vs reward and opportune costs.
risk vs reward, if your company is dependant on 5 delivery trucks for their revenue, and one of those trucks dies, you are out 20% of your revenue. If your company (like prett
Re: (Score:2)
While this much is true, it is also true that IT is the one "area" of a company that touches and supports eve
The BOFH Approach (Score:5, Funny)
2) Simulate the effects of spyware by displaying the contents of the PHB's um...photo collection along with his browsing history.
3) Demonstrate the impact of weak passwords by logging in as the PHB and sending off a few colorful resignation letters to the CEO on his behalf.
4) Emphasize the importance of reliable nightly backups by indiscriminately doing rm -rf everywhere. (you ARE root, aren't you?)
5) Using the custodian's account, log in and download the entire customer database into your ipod, load it onto an independent laptop, and use the data to e-mail oodles of spam.
Or you can just tell them the risk factors in which case they'll just stand in front of the swiss cheese and sing of how all the holes are theoretical.
Re: (Score:2)
I know, Cause I'm the guy that usually forsees the problems months, and sometime years in advance, and utters the famous words "I told you so" (which doesn't go over very well most of the time). I always give the warnings out, and they are always ignored. When the chickens do come home to roost, I have the email trails to show that I saw it coming, and that the people who could have prevented it choose to ignore
Re: DOS Attack! (Score:1)
apparently customers dont want it (Score:2, Insightful)
People have shown a willingness to put
If upper management doesn't "get" IT security.. (Score:2, Insightful)
Not surprising... (Score:3, Insightful)
Bruce isn't in the business for giving out his top notch observations for free.
Are any of us?
I'd say it's a pretty lame attack to point out the cost as a negative. Just admit that you're not interested in his opinion and move on.
IT security sucks for this very single reason: It takes effort.
The solution? Demand effort.
Tom
Re: (Score:1, Informative)
Re: (Score:1)
Re: (Score:2)
I can see two reasons why that would be a valid point. One is that since the DHS commissioned the report, we've already paid for it. The other is that as near as we can tell from the excerpts this report isn't a collection of top-notch observations.
I only charge for customized advice that translates into specific actions for a client. Generic statements might as well be
Too rich for my blood. (Score:4, Insightful)
Re: (Score:1, Interesting)
I dont get "them" because "They" are simply bullshitting everyone already.
Sorry but no executive is worth what he/she get's paid... not for what I see they do for the company.
The general problem with IT. (Score:5, Insightful)
Its almost worth messing up from time to time just to show what would happen every day if you weren't there.
Re: (Score:2, Insightful)
Yeah. And how about the janitors? Maintenance people? Trucking people? Accounting people? Shipping people? People in manufacturing? IT is just one part of a massive support staff that it takes to run any business.
I'm sorry to break the news that IT isn't necessarily any more important than the people that make sure that the toilets flush and the power bills are paid. Actually, as a business o
Re: (Score:1)
All of those produce tangible results. The goal of a lot of IT work, security especially, is to produce nothing.
Re: (Score:2)
Or, in the case of IT security, the goal is to prevent things. The guard at the front desk is physical security - he doesn't produce anything, yet many companies wouldn't think of being without his work.
Re: (Score:2)
Actually, as a business owner, if I had a fixed amount of money and had to decide to spend it on either A. A plumber, B. More help on the loading dock, or C. IT, I gotta say that C would be last on my list. Sorry guys. I can run my business with somewhat broken computers. I can't run it with no toilets and nobody to receive the inventory.
Not so long ago, this post would have been impossible at /. Either the geeks are starting to grow up, or the demographic of /. posters has changed.
I'm actually surpris
Re: (Score:2)
Re: (Score:2)
I can tell you for free (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
That's hard to do when the guys in IT only spend money and don't make any.
Yeah, what do you think they do with all those computers? Oh, that's right, you use them to do your job. Maybe IT should start charging for their service.
The approach I keep hearing about (Score:5, Insightful)
Instead, calculate the cost of a breach. Then walk up the chain of command with the message "Like any risk, we can avoid it, mitigate it, transfer it to an insurance company, or accept it. If you do nothing you're accepting it. If you accept it then on the day a breach happens you will spend eleventy thousand dollars of company money. Do you have signing authority for eleventy thousand? If yes, here's the cost of a couple of mitigation options, and you're the boss. If no, you understand that I'm only going over your head because the decision has to be made at that level."
Re: (Score:2)
Or, if you like your boss, "If no, maybe we should kick this upstairs to somebody with enough authority to make the decision."
The real question (Score:2)
Problem? (Score:2)
Re: (Score:1)
We (the IT professionals) are responsible for IT security, which means we have to make them get it. If we propose a security solution and it is rejected we still tend to get the short end, i.e. fired.
I have talked till I am blue in the face about threats and what can be done about them and in many cases finally gave up. Something like "I gave them all the information, I explained it to them not once not twice and they still said no. So Management has accepted the risk."
Ala-p
Re: (Score:2)
Well, I would say it's their loss, not yours. They lose someone who gives them good advice, you get rid of a stupid Management.
What about non-profits? (Score:2)
Re: (Score:2)
Of course they don't get it (Score:1)
Why should they get it? (Score:1)
I sysadmin in education, and it's clearly a complicated business, far too complicated for any one person to sweat all the details. So some of us sweat finance. And some of us sweat the procurement of funding for 16-19 year olds. Some of us know what 'pedagogical' means ( not me ).
Our senior management are pretty good at what they do, which is to trust their specialist to do our jobs, and challenge us to justify our calls for resources and excuses for problems.
The pro
And... ? (Score:2)
Since I can't read the report without forking over money: The writeup suggests that there's something wrong with the notion that IT security is akin to facilities management. It doesn't say HOW it is different, though.
As far as I can tell, IT security and building security are pretty much the same idea. You my squeak by without any; you probably want to pay a couple guys to provide some basic security service; there's a diminishing return at the upper end, where hiring more security guards doesn't really
In a way, it is like facilities management (Score:2)
If the analogy holds, then IT security includes all "locks" and "cameras" throughout your IT infrastructure.
I HOPE that the CIO takes IT security as seriously as a building superintendent and physical-plant-security team take physical security.
Finally (Score:1)
Our tax dollars hard at work!
hero syndrome (Score:1)
Be glad they don't get it (Score:5, Insightful)
IT stuff is voodoo to most upper management, and I'm convinced IT shops get away with things they never would if the upper management understood IT as well as they understand, say, supply. I was upper management in two government organizations heavily dependent on IT. As a fairly competent computer user who likes to keep up with current events, I fought with our IT folks endlessly -- at least the management.
The first problem is IT quickly forgets that -- like everybody else except the people actually doing the core functions of the organization -- they are a support organization, not a control organization. They latch on to their ability to throw out security and voodoo computer terms to persuade the upper management to let them set policies. Upper management doesn't understand the policies at all, and often has no choice but to side with the IT pros no matter what the actual users want or need. As often as not, they then set policies that are purely for their convenience (for instance, wanting to standardize on Windows and a strict set of programs even though they support 25 or 30 different sections, some of which have been doing things like digital photography, desktop publishing and design on Macs for years). From the users' perspectives, IT makes using the actual IT resources as painful as possible to make their lives as simple as possible, and the fact that they're hampering actual mission accomplishment doesn't bother them.
Next, they have a sweet deal going where they set a bunch of standards that require certain certifications or skills, so they hire people who perpetuate those standards, and only buy things that are compatible with those standards. This then requires getting on an endless treadmill of more training, more personnel, more software, more hardware, etc. And all the while they make it clear that it's lunacy to buy anything that doesn't have vendor support because if it actually breaks they can't be expected to get it going again using only the training, hardware, software and people that they have brow beat management into paying for using money that *every other part of the organization* was crying for and could have put to good use, too.
Lastly, on a day-to-day basis, far too many of them think that, because they're IT, it's their right to be arrogant, socially or organizationally inept, or just plain weird -- and sometimes it's a combination, so you get a organizationally inept weird guy being arrogant. How many of those does it take to ruin a shop's reputation? (IT certainly has no corner on that market, I'll grant you).
I could go on here, but I'm sure I've pissed off enough people already. I came from the internal communications side of things -- journalism and later PR. In my field management always thinks they can do your job better than you can because, hey, it's just writing and talking. Eventually, I got promoted into management and in dealing with IT I saw that their best defense is that almost nobody in a position of leadership (being mostly older guys, half of whom had never launched a program that wasn't sold by Microsoft) understood what they hell IT did or what it took to get it done. So all it took was a good talker or somebody who learned to cite vague security mandates from higher headquarters to get much more of what they wanted than anybody else did.
Of course, it also left IT open to being weaker when their leadership was weaker (or less smooth). But I didn't run into that. I ran into IT shops that got more of their resource requests approved than anybody else, but didn't really realize it and kept whining for more even though their support curiously never got better no matter how much you spent on them. And for every new capability you read about on Slashdot, they came up with two new security policies that made using it impossible.
Now I'm back in the trenches and don't get to go to the meetings where the IT guys try to talk the boss into banning the USB drives everybody has taken to using because the e-mail
Re: (Score:1)
Just remember that not all IT departments are like that, because mine isn't. We actually make a concerted effort to give the users what they want.
Re: (Score:2)
Re: (Score:1)
Staff: we want to use USB keys.
IT: We are going to ban USB keys. That's how viruses and worms get into the network. Banning USB keys will make our lives easier.
Rather than: Okay, what exactly is the problem you are trying to solve? Do you need the ability to work on files from home? Remote access?
In their defence this attitude can be the result of: (A) staff not articulating what the actual p
Well said! But: (Score:2, Interesting)
For instance: The company I work for (and the reason I'm posting anonymously) is currently running our main website on a Windows server. From talking to our hosts, it seems that crypto is something the Windows world just doesn't do. By that I mean, we want to install new web software? (PHP stuff -- you know, new version of Drupal, Wordpress, whatever.) We can either pay them $75/hour or so, or do it ourselves, over FTP. Plain-fucking-text
Yet Another Way Not to Get It... (Score:1)
We were to present these ideas, little over a dozen of them, to our VP on the business side of the company. Projects ranged from migrating systems to the DMZ to implementing Single Sign On.
All the projects were approved by the VP
What People Are Willing To Pay (Score:2)
Simple answer: Manager think like managers (Score:2)
And that's exactly what security is.
Security is also an expense that is much like an insurance. It's something
Re: (Score:2)
Even external attacks are the fault of internal departments. You can think of the internet as having an automatic mechanism whereby insecure servers get pwned by script kiddies - the script kiddie isn't the problem, it's whoever didn't secure the server.
Whack them in the junk. (Score:2)
Even if it doesn't do any good, the image of the boss rolling around in the floor crying is good for morale.
Re: (Score:2)
Re: $495 (Score:1)
When we copy stuff, we instinctively refuse to value our own time because it tends to be minimal. But if you have a government publication that's supposed to be available on demand (with large leeway for production times), orchestrating 1400 copies of the 500 page report
Let's say this tiny little govt dept. gets set up in a small building with a 5 person operation. At a certain number of copies, it will be full time work for that team,
Re: (Score:1)
An amendment can cost a building owner a pile of dough - who do you think they would go after? In 2006, everyone involved.
Im am an arrogant IT person (Score:1)