Survey: Most IT Staff Don't Communicate Security Risks 227
CowboyRobot writes "A Tripwire survey of 1,320 IT personnel from the U.S. and U.K. showed that most staff 'don't communicate security risk with senior executives or only communicate when a serious security risk is revealed.' The reason is that staff have resigned themselves to staying mum due to an environment in which 'collaboration between security risk management and business is poor, nonexistent or adversarial,' or at best, just isn't effective at getting risk concerns up to senior management."
Spoon fed (Score:4, Interesting)
Send them out too often, and you risk being ignored. Send them out infrequently, and people say they weren't warned. Once a month seems to do the trick where I work. Management actually encourages this since it keeps people aware without becoming annoying.
Re:one-way street (Score:5, Interesting)
IT would love to, but upper management doesn't want to hear it.
Partially true, but not universally so. The problem is more that technical staff speaks in terms of technical risks, while upper management thinks in terms of business risk, and the two are not obviously aligned. It's like a patient who wants to know "how bad it is," and the doctor answers in terms of probability of due to . The key is to be more proactive about it, and to qualify where a business/organization is strong or weak in terms of security, while providing a plan to improve things down the road. It's impossible to tell someone what the odds are of X being compromised due to Y risk, resulting in Z cost; the best you can do is look for weaknesses and then come up with a plan to prioritize and fix them. Upper management understands the need to be secure, but they need to be given something they can understand and act on or approve. They won't make decisions based on things they don't understand (if they're smart).
Of course, if compliance comes into the picture, then the risk definition changes. It no longer becomes about risk of compromise, but risk of fines due to noncompliance. This makes it very easy to categorize the risk and communicate it...and as a result, compliance-based security spending is very high compared to security-based security spending.
Re:one-way street (Score:4, Interesting)
"Why haven't you fixed it yet?"
- Because we're coming to you right now to get authorization to spend the money required to fix it.
"Rarglkebargle that's too expensive, find a free solution instead. Now where's the intern for my morning blowjob?"
- There is no free solution. It takes time, hours, and a certain amount of training for the staff to get them to understand and help them comply with the security policies.
"Rargle I'll just find someone else then. Fuck you, you're fired. Time for my powerlunch with the other cocaine-addled executives! Hey, I just saved the company your salary! I think I'll award myself some stock options for my brilliance and frugality!"
It takes HIPAA or similar regulation (Score:2, Interesting)
Management won't listen to anything regarding security until there's a personal fine associated with it. In fact, ignoring IT's comments allows them to claim ignorance. If you want upper management to pay attention to security risks, make them liable. Until then, IT is just another fall-guy when stuff breaks.