Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security IT

Security's Shaky State 184

Posted by ScuttleMonkey from the overworked-and-underpaid dept.
Ant writes "According to InformationWeek, Information Technology (I.T.) security professionals say when it comes to security, most I.T. departments are underfunded, understaffed, and underrepresented. Resourceful I.T. security professionals are getting the job done, but their efforts have been hampered by undersized staffs and underfunded budgets that limit choices ranging from what products they buy to the vendors they work with."
This discussion has been archived. No new comments can be posted.

Security's Shaky State More

Security's Shaky State

Comments Filter:

  • No one notices a well done security job... (Score:5, Insightful)

    by jmp_nyc ( 895404 ) * on Tuesday December 06, 2005 @12:29AM (#14191100)
    A major part of the problem is that CFO types don't like spending money on things they don't see a need for. By the time they see a need for security, it's past the point at which throwing money at the problem will fix things.

    Likewise, the security side of an I.T. department is the sort of job that is hard to justify to people who assume that if they don't notice results, the job isn't really doing much.

    Ah the glory of an invisible job.
    -JMP

    • Re:No one notices a well done security job... (Score:5, Insightful)

      by Velox_SwiftFox ( 57902 ) on Tuesday December 06, 2005 @12:35AM (#14191123)
      Sigh. I've learned "I don't understand why we need X" is all too often a warning from a superior that continuing to push for X (including by providing the supposedly requested info) may be a career-limiting move. OTOH, if X turns out to have been needed after all, not having gotten it is hard to explain to that same superior.

      • Re:No one notices a well done security job... (Score:5, Interesting)

        by jmp_nyc ( 895404 ) * on Tuesday December 06, 2005 @12:38AM (#14191141)
        Sigh. I've learned "I don't understand why we need X" is all too often a warning from a superior that continuing to push for X (including by providing the supposedly requested info) may be a career-limiting move. OTOH, if X turns out to have been needed after all, not having gotten it is hard to explain to that same superior.

        I've experienced worse. At one company I worked at, I warned of the pitfalls of a particular implementation my boss had been sold on. I was ignored. When the problems I predicted showed up, I was then blamed for creating them.

        I quit that job as soon as a chance to move to a reasonably solid company came along...
        -JMP

        • Re:No one notices a well done security job... (Score:5, Funny)

          by CrazyClimber ( 469251 ) on Tuesday December 06, 2005 @12:57AM (#14191216)
          I was going to moderate this thread until I saw your post. There's no option for "needs hug" and you sure deserve it.

          • Re:No one notices a well done security job... (Score:5, Insightful)

            by jmp_nyc ( 895404 ) * on Tuesday December 06, 2005 @01:17AM (#14191298)
            I was going to moderate this thread until I saw your post. There's no option for "needs hug" and you sure deserve it.

            Thanks, but I did gain an important bit of wisdom working there. The company brought in a supposedly hot shit developer to build systems. In departmental meetings where we went over our current projects, he was never interested in hearing about anyone else's project, but more importantly he got defensive when asked questions about how he dealt with various potential pitfalls. It turned out that he usually simply didn't deal with the pitfalls.

            It's no wonder that the project managers dreaded having their projects assigned to him, as they would not only take longer to get to launch, but he would rush things past testing because he presumed himself to be infallible. His projects therefore always launched with bugs. (We're talking basic things here, like web apps for thousands of concurrent users that couldn't handle concurrent requests.)

            Not only did I come away understanding the importance of bouncing ideas off others, but ever since that experience, I'm overly self-conscious about making sure to listen carefully to questions asked by people who aren't immersed in my projects. I find that those questions can often save me great deals of aggrivation later in the dev process. I don't want to be a master-of-the-universe hot shit developer. I want to build things that work.
            -JMP

        • Re:No one notices a well done security job... (Score:4, Insightful)

          by LardBrattish ( 703549 ) on Tuesday December 06, 2005 @01:57AM (#14191448) Homepage
          I've experienced worse. At one company I worked at, I warned of the pitfalls of a particular implementation my boss had been sold on. I was ignored. When the problems I predicted showed up, I was then blamed for creating them.

          Document EVERYTHING in cases like this. Offer advice in the form of an e-mail, print out a copy of the e-mail and file it somewhere safe (like at home). Also never delete the e-mail you sent.

          Then when the stuff hits the fan you can defend yourself at the time in public and send another follow up e-mail including the original to back it up to whoever needs to know.

          This doesn't work if it's the owner being the jerk but it does cover your butt if a supervisor's trying to push the blame down to save him/herself.

          • Keep in mind that many workplaces with managed email storage via Exchange or whatever have retention policies that will purge all emails older than 6 months or whatever, so if it's something you really think you'll need as evidence a year from now, make a hard copy.

            Of course, this opens the door for them to say you violated retention policy and use that as an excuse to fire you, but that happens you can be assured that they place more value on winning the blame game than on succeeding in the industry. Smal
        • I've had a similar experience. A major Canadian real estate company, which I was NOT IT support for, just the end user, decided to switch from a Unix local hosted solution to a web-based initiative.

          Props for looking to the future, major negatives for not thinking out their direction.

          I, well before implementation, pointed out that since this was WWW based, and our office connected to the web via an office about a thousand miles away, to connect then to an office about a mile away, casual lunch web surfe
          • You certainly seem bitter enough to realize (or be properly prepared for) the truth: companies move from self-contained and self-maintained systems to "web-based" so-called solutions, since they widely perceive such things as capitalizing on the commons, hence saving them money. It's also a matter of the outsourcing fad, in which nearly any company function is now considered for removal from the company proper, and instead given over to some (largely) shyster who merely promised cheaper operating costs.
        • Man believe me, that happens at plenty of companies exactly like you described, and many times it's not about security issues, but things like having a normalized database of files. Amazing isnt it, how it's always some big mouth vp or other company officier who doesnt know anything except how to flap his mouth and get conned by some fast talking salesman to buy some piece of junk software. Of course why bother asking the opinion of the IT guy or other professional. What the hell do we know? I was once a

        • Re:No one notices a well done security job... (Score:2, Interesting)

          by Anonymous Coward
          I warned of the pitfalls of a particular implementation my boss had been sold on. I was ignored. When the problems I predicted showed up, I was then blamed for creating them.

          There are a lot of career hazards with this one. I unfortunately became the nay-saying manager at a previous international telecom company a few years ago when I'd raise concerns about things like a calling card switch that:

          - had a default load of SCO with no patches
          - patches were prohibited because "they messed up the calling card soft

    • Re:No one notices a well done security job... (Score:4, Interesting)

      by conteXXt ( 249905 ) on Tuesday December 06, 2005 @12:37AM (#14191130)
      Funnily enough open source works in this regard.

      I was able to win the battle with corporate security after they sent in the outside security auditors.

      Outside audit showed nothing vulnerable (for whatever that's worth)

      Inside auditor then came to our office for further (second opinion) audits :-)

      Joke is that we were all using the same tools (nessus,nmap,etc) to different effect.

       
    • Maybe its a problem of insufficient penalty. The legal consequences regarding breaches of private information seem pretty lax (are there any at all?). Morality is meaningless in the boardroom. The desired behavior has to be brought into compliance by either the market or the government in some form.
      • How could you fairly legislate legal penalties for somethign like this. I would fight it tooth and nail if my cisco product was guilty of causing the breach when a default-hidden-password was used to penetrate the network.

        Also, with closed source security applications claiming anyhting under the sun as well as operating system bugs that let websites/emails trick users into clicking a link that gives access to the entire system wich could then be used to access the entire network. I'm not saying open source
        • Suppose we force companies to pay reasonable damages (no criminal charges or anything unless criminal negligence is provable). Naturally, they can and will get liability insurance to cover this, and the actuaries will determine how much that will cost on the basis of how risky their operation is. Similar to having airbags in your car, companies will qualify for discounts by using known secure systems and hiring competent IT security staff. Software/hardware vendors will be motivated to produce secure pro
          • Yeah, just what I need as a small business owner, more insurance! Ridiculous.

            When are people going to learn that insurance companies arent competitive anymore! They are all re-insuring each other, which essentially pushes silent collusion. This industry just rakes in teh cash and screws everyone else. No More Insurance.


    • Ah the glory of an invisible job.

      Not only is the job of security invisible, it's effective to the degree that it's invisible! Thus, the better job IT security does, the less likely that they'll get future funding!

      Talk about working yourself out of a job....
    • A major part of the problem is that CFO types don't like spending money on things they don't see a need for.

      That's a common theme with all loss control divisions. All of the major performance measures are trailing indicators - they're only measurable in the event of a failure. You guys should look around and take a leaf out of the older loss control disciplines' books.

      Safety, reliability, risk management etc all have positive performance measures available and in use. Put together a dashboard of leadi

    • Re:No one notices a well done security job... (Score:5, Insightful)

      by Frater 219 ( 1455 ) on Tuesday December 06, 2005 @02:43AM (#14191575) Journal
      Likewise, the security side of an I.T. department is the sort of job that is hard to justify to people who assume that if they don't notice results, the job isn't really doing much.

      Here's a possible fix for that situation: Document and present to your bosses the nature of what you are preventing.

      Gather information about sites that are less fortunate or less competent than your own. Make sure that your boss knows when your competitor's Web site gets vandalized, or when some well-known business starts spewing out virus spam. Provide information about the specific techniques that you used which kept that from happening to your site.

      "In May of 20x6, businesses and home users across the Internet were hit by the Quigmorf worm, which was reported on the front page of the New York Times as causing $25 billion in damage. Our mail server anti-virus filtering rejected an average of 16 copies of this worm per second over the worst day of the outbreak."

      Disseminate periodic alerts about viruses that have stricken other sites, but which your own defenses are ably filtering out. Couch these in the language of protecting your users from threats they may face on other (and hence lesser) networks.

      "This Monday, Snarkashvili Anti-Virus discovered a new virus known as 'Quigmorf'. This virus infects Windows systems by sending email messages with a subject line of 'I love Quigmorf, click here to see why!' Infected systems become very slow and send out thousands of viruses to other email users. While our mail server anti-virus program is blocking Quigmorf, your home ISP may not be. Be sure to delete any messages with this subject line without opening them."

      Instrument your systems. Gather logs and present them in understandable form. Bosses know what a quarterly report is, and they can understand claims such as:

      "In 4Q05, our mail server blocked an average of 100 spam and 50 viruses every minute. This is a 25% increase over last quarter, and a 50% increase over last year. Spam complaints to spam@oursite.net are down by 65% over last year on a total email volume of 30% more messages. We attribute the improvement to the free open-source anti-spam and anti-virus programs that we installed last quarter."

      If worse comes to worst, you could always try talking time and money:

      "Our mail server blocks 100 spam every minute -- all day, every day; during working hours and after hours. It takes approximately 3 seconds for an employee to look at a message, recognize it as spam, and press the Delete key. This means our mail server does the work of more than twenty full-time employees dedicated to doing nothing but deleting spam."

      It's true! (100 spam / minute) * (1 minute / 60 sec) * (3 person*sec / spam) = 5 person, but a person only works less than 1/4 of the time (8 out of 24 hours, 5 out of 7 days) whereas a mail server works 24/7.

    • A major part of the problem is that CFO types don't like spending money on things they don't see a need for. By the time they see a need for security, it's past the point at which throwing money at the problem will fix things.

      Yet these same people do see a need for keys and locks and swipe cards and security guards. Why do they think network security is any less important than physcial security?
    • A major part of the problem is that CFO types don't like spending money on things they don't see a need for. By the time they see a need for security, it's past the point at which throwing money at the problem will fix things.

      This isn't a problem - this is a good thing. Do you want to work for a company where the CFO has priorities other than the best spending of the company's money? Hell no.

      The problem here is one of speaking the correct language. Rather than saying "we need X", do a formal ROI. Docume

  • Simple Reason (Score:4, Insightful)

    by matr0x_x ( 919985 ) on Tuesday December 06, 2005 @12:34AM (#14191120) Homepage
    The IT Security department does more preventative solutions then anything else... so basically, if you don't hear booh about them, it's a good thing. Essentially, the better the job they do, the less the management of a company realizes they are important. "Oh, well we haven't gotten hacked in 3 years... we can afford to cut our security department budget this quarter".

    • Re:Simple Reason (Score:5, Insightful)

      by aussie_a ( 778472 ) on Tuesday December 06, 2005 @12:40AM (#14191151) Journal
      Which is crazy. You don't hear people say "oh you know. I haven't been broken into in the past 3 years. I think I can replace my deadbolt with a padlock I brought from K-mart." Why companies continue to short-change their data security (in what many people claim is the Information Age) while beefing up their physical security. And whilever they continue to do this, we'll continue to hear of times when credit cards are stolen. Oh, I just realised why they don't care about information being stolen. Because it's only customer information. And it's not being stolen like physical objects, it's being duplicated.

      Until these companies are forced to care about their customer's data (and customers aint doing shit about it at the moment), they won't.
      • Well, it's happening in the credit card handling businesses. There is a new standard for security being brought about by the Payment Card Industry (PCI.) Any firm that accepts credit cards needs to submit documented procedures for how security will be handled, and that includes things as diverse as encryption, patch schedules, security rights, data storage, longevity, and code reviews.

        If you want to handle credit cards in the future, you had better be protecting the card data appropriately now. Penalti

        • Re:Simple Reason (Score:3, Insightful)

          by WhiplashII ( 542766 )
          Unfortunately, this is not true. I have recently had to pass this review for my servers, and what it really amounts to is a checklist of the way they like to set things up. After doing the checklist, you are probably less secure than you were before - because you're setup is different than what they were expecting, so doing what they say makes things worse, not better. For example, they require that you have an encrypted database to store credit card information. Prior to that, we did not store credit c

          • Re:Simple Reason (Score:5, Insightful)

            by plover ( 150551 ) * on Tuesday December 06, 2005 @02:15AM (#14191495) Homepage Journal
            The actual PCI requirements are for your company to establish standards and then document following them. But the details aren't completely spelled out by the PCI. Visa CISP did add certain restrictions, such as "you must never write certain Visa card data (Discretionary data, CVV2) to a storage device," and "if you keep the account number and the related guest data together, you must encrypt it."

            But they certainly made no such foolish rule as "YOU MUST STORE the data AND encrypt it." If anything, that was a misread at your company of "IFF you must store the data THEN you must encrypt it." Their guidelines are sound. The Visa cryptographers I've met with have been really sharp, and wouldn't allow a chump mistake like that to creep in.

            • Their checklist really does contain: "Do you have an encrypted database that stores credit card information" or somesuch. The only acceptable response is yes to all questions...
              • Wow, that reads like the old trick question "Did you stop beating your wife?" :-) There's no good way to answer it.

                Here's the way we phrased that particular question in our doc:

                "Is critical data (credit card numbers, passwords, etc.) encrypted before storage?"

                You might want to talk to your PCI people. The idea is to secure your data, not create holes.

        • I love these discussions (I work at a company that sells a database encryption solution). I also think this is the first time I've been actually qualified to make a comment on slashdot that wasn't a joke!

          The difficulties of PCI are in the:
          A. Interpretation - Many companies have been passing audits with "compensating controls," which has meant stricter perimeters, intrusion detection, app firewalls, etc. The auditors are saying this won't fly anymore, but we haven't seen a full realization of that in the mar
      • I think if a company's system is breach and fraud or ID theft is perpetrated the time, expense, cost of new SS#, accounts, lawyers, etc. should be borne entirely by the entity responsible for the data's security. Putative damages if warranted, should also be assessed to punish irresponsibility.

        If the perps are ever identified and apprehended they should be severely punished civil & criminal.
        • And whose going to make them responsible? Me and my pro-bono lawyer? How will I prove it was their fault? From that day on any credit card fraud is their responsibility? Most people can't afford a good lawyer, and the lawyer they can afford, aint that good and is likely to sue successfully, and keep your money.

      • Re:Simple Reason (Score:2, Flamebait)

        by vmcto ( 833771 ) *
        I'm not trying to offer flamebait, BUT...

        I just want to get this straight:

        1) When a customer's data (credit card info, PHI, etc) is illegally duplicated it's stealing and all possible security measures should be taken to prevent this crime.

        2) When a content producer's data (song, movie, software, etc) is illegally duplicated it's only been copied, no real harm was done, and the content producer should just ease up.

        Yes I realize that the intent of content producer's is to propagate their data (through legal

    • Re:Simple Reason (Score:4, Insightful)

      by Metzli ( 184903 ) on Tuesday December 06, 2005 @12:45AM (#14191164)
      IMHO, the problem is two-fold. If they do their jobs well, the Security Department is essentially invisible as things hum along. The second aspect is that most people only hear from the Security Department in a negative connotation. Whether it's explaining why using FTP to outside folks is a bad idea, explaining why emailing an Excel spreadsheet with a password protection is a bad idea, or explaining why a user can't have access over a VPN to any port on any internal machine, it's evident that most people only hear from Security in the context of "you can't," "you shouldn't," or "you must." Right, wrong, or indifferent, that's just part of the job.

      Having been a server admin before doing security, I can tell you that the two jobs are very similar. When things are done correctly, the suits rarely know who you are, what you do, or why your job is important. Because of that, it can be extremely difficult to explain why you need $100k for firewalls or $50k for new servers. C'est la vie.
      • IMHO, the problem is two-fold. If they do their jobs well, the Security Department is essentially invisible as things hum along.

        That is why you do your job poorly or at least let certain things "happen".

        On a phone conversation at MegaCorp

        Boss: Why are all my emails missing?
        Security Advisor: Ummm... *randonly punches keys on keyboard* Looks like you were hacked!
        Boss: Oh noes! Why didn't you stop this!
        Security Advisor: We could have if you gave us a purchase order for a new device I've been wanting.
        Boss: Um..

  • No pretty pictures (Score:3)

    by Cave_Monster ( 918103 ) on Tuesday December 06, 2005 @12:43AM (#14191155)
    Security doesn't tend to have a pretty interface that managers can see; managers love eye candy. It's a bit similar to the case where you will develop the interface before the backend. If you spend 6 months working hard on a backend, a client/manager will think you haven't been doing much. If on the other hand you have a nice colourful interface to show them after 6 months regardless of functionality, they will love you.

  • SOX (Score:5, Insightful)

    by Bonker ( 243350 ) on Tuesday December 06, 2005 @12:46AM (#14191169)
    Sarbanes-Oxley act is the new security-minded sysadmin's best friend.

    Managers and Execs start taking IT security a hell of a lot more seriously when they realize they can go to jail if they're implicated in fraud.

    To comply with SOX, you have to document all your procedures, all your data flow, and make it available to gov't regulators. You also have to document what holes you're aware of in your systems and how you plug them.

    Whistleblowing is quick, easy, anonymous, and DEVESTATING.

    SOX ROX.
    • Intrigued, interested, or confused slashdotters may wish to read the Wikipedia entry on the Sarbanes-Oxley Act [wikipedia.org], particularly section 3 [wikipedia.org].

      Looking at it briefly, it looks like this would only apply to IT dealing with financial data, and only of public firms. I am still not sure what "this" is exactly, but that's why IANAL. ;)

    • SOX - Important note (Score:3, Informative)

      by tacokill ( 531275 )
      SOX only applies to publicly held companies. Private companies are not bound by SOX.

    • Re:SOX (Score:2)

      by jafac ( 1449 )
      There are strong opponents to SOX, particularly in the securities-trading community (where most of the fraud that caused SOX in the first place occurs).

      My response to this:

      Fine. SOX is optional. But you forfeit coverage under Corporate Bankruptcy law. In other words; if you choose not to comply with SOX, you don't qualify for Bankruptcy Protection, should you need it, and you're responsible for all the debts your company incurs when you drive it into the ground by stealing.

      Seems like a fair deal to me.

  • All the money in the world is not enough. (Score:3, Insightful)

    by twitter ( 104583 ) on Tuesday December 06, 2005 @12:53AM (#14191198) Homepage Journal
    The number one threat is the Microsoft Desktop. It's closed, so you can't fix it, ever. Some would say it's broken on purpose but intentions are less important than the result.

    There's not much you can really do about it. You can buy all the "security" in the world and the next M$ worm will still take out your servers and your desktops. The only thing more staff does is make the recovery faster, but the limit is how fast Microsoft themselves fix the real problem. Beyond that, you block ports and services until things go away, which is not much better than broken.

    At big companies, the problem is NOT a lack of resources, it's resources poorly spent. The quoted ratio is 1:5, one Unix admin can do the work of five Windoze admins.

    • Not many companies will simply give up all the software that's tying them to Windows and switch to another operating system. Most of our servers run Linux for obvious reasons, but we have all Windows desktops and some Windows servers for apps that need them. I can't really say we've had virus or worm problems since I arrived. IE and OE are banned of course, we install the latest patches, and we're all behind a NAT.
    • At big companies, the problem is NOT a lack of resources, it's resources poorly spent. The quoted ratio is 1:5, one Unix admin can do the work of five Windoze admins.

      So, the average IT manager at the average big company has a 5/6 chance of having a Windows admin background and will get feedback on technical and business decisions from 5 Windows admins and 1 Unix admin?

      That pretty well sums it up where I work, too.

    • well you could go for a network set up to stop desktops talking to each other and the servers don't nessacerally have to run windows (though if they do you and they can be reached by a lot of users you probablly need to keep a very close eye on them).

      ideally you might also wan't to stop outbound from servers to desktops as well although that may be unfeasible.

  • Engineers dont understand business (Score:3, Insightful)

    by Monkelectric ( 546685 ) <[moc.cirtceleknom] [ta] [todhsals]> on Tuesday December 06, 2005 @12:57AM (#14191212)
    Security is underfunded because the whole point of business is to underfund everything you possibly can to make a buck.

  • Overprivileged workers (Score:5, Insightful)

    by phorm ( 591458 ) on Tuesday December 06, 2005 @01:01AM (#14191229) Journal
    My biggest beef is not the lack of staff or budget but the lack of discipline. Nowadays it seems that everyone *needs* a computer at their desk, and they seem to have no problem misusing company resources. I don't mean things like checking email while on the clock, but rather installing their favorite IM program, or perhaps a fancy calendar doodad or toolbar (laced with an unhealthy dose of spyware, of course). Let us not forget those "important people" higher up the chain that would have your hide if you even mentioned that perhaps they shouldn't be using Kazaa on a company machine or opening every email attachment under the sun.

    There was a day where staff were wary of computers, and treated them with respect. Those days have long past... all they're wary of is that weird IT guy who tries to tell them what to do with their machine.
    • I don't mean things like checking email while on the clock, but rather installing their favorite IM program

      Almost every programmer I know uses an IM client as part of their job, communicating with the rest of the team; some of them use them to communicate with clients. The only exception I can think of to this is my boss, who didn't use one even when he was a programmer and isn't about to start now that he's Head of Development.

      Kazaa, etc I agree with - but I think you're being a little short-sighted railin
      • No problem with IM in general, I use it for work as well. Some stations I will work on though have MSN, AIM, Yahoo, and even other IM clients - all starting up at login - and generally none are used for work-related purposes.
    • What day was that when staff who used computers on a regular basis were wary of them? The reason we have PCs now is that employees didn't like the mainframe / minis which were rigidly controlled and they wanted to install their own software to do their job without going through IT.
    • You could try this:

      Boss, I have a problem...
      I got a call from the FBI that they wanted to meet with me regarding the use of the Kazaa program within our network. They think someone is downloading illegal music and kiddy porn. I was thinking we should block those programs to avoid liability, what do you think? Also, should we make it into a written policy just to be safe? I don't want to spend the next 2 weeks dealing with lawyers and law enforcement agents crawling through our networks.
  • The article just said "security professionals are getting the job done". How could they be underfunded? If the potential gains will be marginal, how much more money could you throw at the problem before it becomes unprofitable? And the cost of increased (as in ultra paranoid) security is not just in staffing and purchases. It also puts a strain on all the systems and employees in the company. I'm not saying there aren't companies in dire need of better security, but like your accounting department, security
    • If your company is growing, so should your security department. You're right about some people just wanting more. But there's a mindset currently to sell the "invisible" capital. A company's good name, your shareholders, whatever, in light of a short-term profit.
      It's a complete lack of ethics culturally that allows people to do things like this. It's how much you can get away with without getting caught (getting hacked), rather than "doing it right" as you say. You can't do it right without the staff.

  • And maybe that isnt a bad thing (Score:5, Insightful)

    by 3ryon ( 415000 ) on Tuesday December 06, 2005 @01:07AM (#14191262)
    First of all, I agree that security is a typically under-appreciated job. However, I've also seen what happens with security has the power to implement whatever tools/measures they want. That situation is probably worse than the lack of security at most places...not only can your security team get in the way of the business with insane risk avoidance policies (making the business less efficient), but it can be directly expensive in the price of staff and tools.

    Security people need to understand that not every risk has to be avoided. Many risks are an acceptable trade off to allow the business to be efficient. Honestly, I want my security team to be a little paranoid...but I want their manager to have a good understanding of the impact security policies can have on the people who do the things that bring money into the company.
    • Sounds like the security people need more training.

      Most businesses benefit from short term cross-posting of managers into semi-related departments, or even better, putting the managers in with the regular employees.

      Lots of big name Corps & Co's do this. It lets managers see things from more than one perspective which, I hope, lets them do their jobs better.

      If you have good managers, training works.
  • The notion that security is a "never" seen is exactly the wrong thinking that causes security not to be a problem. Would a hacker announce that he's rooted your network??? You still need highly trained security professionals on your network for exactly this reason - security cannot be a "hide underneath a pile of coats and hope everything is fine" IT approach.

    For most CIOs, their understanding of security doens't extend further than users having local admin rights, spam, viruses and spyware. Other tha
  • People say they don't get paid enough, and there aren't enough jobs to go around.

    Sounds like the IT guys interviewed here took a cue from the nurses' union, which complains of "understaffing" every time you turn around, so they can get more members.

    • Unbelievable. I should have paid attention when /. hit that iceberg.

      Has sulli ever been to a hospital and seen how long it takes for a nurse to get to a patient now? I've been there and seen it in person. These nurses aren't lazy, there simply are too few of them for all the patients on a given floor.

      Here's some information for sulli to read and be educated.
      http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2 001/08/16/ED211776.DTL [sfgate.com]

      Now, as for IT security, may sulli's credit card data be guarded by companies r
    • One of the hospitals that my wife used to do surgery at had a chronic nursing shortage. I don't remember the exact numbers, but the patient:nurse ratios were over 50% higher than JHACO specified as the critical number. There were abundant stories of patients dying or experiencing other serious problems due to lack of proper attention. Nurses were being forced to stay several hours after their relief shifts had arrived to complete the documentation that they couldn't complete during their scheduled times.

  • I agree, but some of the issue lies with us... (Score:4, Informative)

    by riprjak ( 158717 ) on Tuesday December 06, 2005 @01:26AM (#14191334)
    ... the Engineers and engineers; we doers, designers and other coal face bunnies have to eat some of the blame for under-funding and under-recognition.

    If we could accurately quantify the benefits of what we want to do; and there MUST be a simple investment/payback model that any managoid can understand for anything you want to do. We are smarter than them, yet more often than not we bitch about how dumb the senior management is rather than use our smarts to convince them.

    Trust me; do your research, present in simple terms the cost of the investment in (insert program here) vs. the cost of not doing it. Remember to quantify the risks in FINANCIAL terms. Lost productive hours; Loss of commercial advantage.

    Take an active role in developing Key Performance Indicators for the organisation if it has such programs.

    At the end of the day, baby boomers are, by and large, idiots as well as our bosses; they dont get the modern world. We have to present it to them in simple cost accounting terms. The more successful we are at communicating in these terms, the bigger our budgets will be.

    Remember, businesses dont/shouldnt SPEND money... they should INVEST it; this is the way to convince and influence PHBs and managoids.

    Anyway, just my $0.02AUD
    err!
    jak.
    • ROI requires accurate estimates of the probabilites, as well as consequences, of security compromise. Companies concerned about the damage to their image tend to make security incidents underreported. This makes accurate probabilistic risk assessment, and corresponding ROI calculation, difficult.

  • Poor focus hurts too. (Score:3, Interesting)

    by gasmonso ( 929871 ) on Tuesday December 06, 2005 @01:29AM (#14191343) Homepage

    I work as a software engineer for a very large company in the US. After 5 years with limited security and no virus scanning of email, the company network was beat down internally by every virus known to man. The "solution" was a very unfocused initiative. IT did stupid things like block every attachment via email (driving us nuts) while not making antivirus software mandatory. People would just plug a laptop in the network and spread everything they had on it. The IT department should have focused on handling the virus instead on trying to avoid them all together. They will get on the network anyways. Another "smart" thing they did was block access to Windows Update to make installing patches difficult. They had the staff, but not the knowledge and plan. That's more important in my opinion.

    gasmonso http://religiousfreaks.com/ [religiousfreaks.com]

    • "I work as a software engineer ..."

      how is working possible in the environment mentioned above ? or do you just hang around the coffe makin' machine ?

      in the favour of your mental health, go get a proper job at a proper place.

      how impossible can it be to drive network into firewalled subnets and add virus scanners ? plugged in laptops should have read-only access to linux/any-other-*nix based samba servers only, no direct connection to any other windows box in anyway. ah, who can count all that up here.

      why di

  • > Resourceful I.T. security professionals are getting the job done, but their efforts have been hampered by undersized staffs and underfunded budgets that limit choices ranging from what products they buy to the vendors they work with.

    Here's why: They are outsourcing all IT jobs to India. In other words, they create the problem because after out sourcing, no new blood is attracted to fill the ranks of the IT colleges.

    After creating the problem, they then lament about the problems they face...sheesh!

  • http://www.419eater.com/ [419eater.com]
    There are entire groups of civilians devoted to bringing down criminals and other IT security nightmares. The guys and gals at 419Eater do a better job than eBay in policing fake escrow sites, and taking them down [legally most times I'd hope].
  • But then again, you could accuratly say the same thing about any other I.T. Dept.
    I.T. is a cost center of _any_ business, not a profit center..
  • underfunded budgets that limit choices ranging from what products they buy to the vendors they work with.

    The other side of this, is that even when companies do have the budgets for these fancy-schmancy products from uber-repected vendors, it's often the users, and their lack of awareness or education about their role in security that's the weak link.

  • It shows why IT security staff is really employed. (Score:3, Interesting)

    by cheros ( 223479 ) on Tuesday December 06, 2005 @07:02AM (#14192385)
    I've seen this time and time again - maybe I'm just getting too cynical for my own good ;-).

    As far as I can tell, in quite a few companies IT Security staff are only employed as a gesture towards corporate risk management. In other words, as long as the gesture exists there is an apparent legitimate claim that effort was put in to mitigate a risk.

    When (not if) the inevitable happens, it doesn't take a rocket scientist to work out whose head will roll. For those who haven't reached their operational caffeine level yet: it's not going to be an executive.

    Having said that, I'm glad to come across more and more evidence that quite a few companies at least *DO* get it so maybe there is hope.
    • I recall talking with a very experienced, capable security expert who had founded a company (and was CEO). The remark that sticks in my mind was along the lines of, "No one can make much money in this business, because customer executives never buy the security their company needs - they buy the very minimum to avoid being successfully sued for negligence if the shit hits the fan".
  • The science journal, Nature, has reported that water is wet.

    Security has always been a problem, and probably always will, because there the risk is very difficult to quantify. "You should install XYZ because it'll probably maybe sorta keep out attackers." doesn't quite cut it when you ask for $500k to implement it. And the field is changing too quickly to commoditize certain security issues (A/V and simple encrypted point-to-point communications excluded).

    Also, much of security is built upon black magic-- s

  • The only folks I saw who were quoted in the article worked either for state/local government or a university. I'm sorry, but private industry is an entirely different animal. Perhaps out of your 1,500 respondents, folks, you should give us an idea of the breakdown.

  • When it comes to ANYTHING (not just security), most IT departments are underfunded, underrepresented and understaffed.... Thank you, Captain Obvious!

  • There are two big problems with IT security... (Score:3, Insightful)

    by FellowConspirator ( 882908 ) on Tuesday December 06, 2005 @12:09PM (#14193864)
    First -- people don't value something until they think they need it; and that won't happen until they get burned.

    Second -- it's excruiating to separate the wheat from the chaff; there would appear to be a glut of IT security "professionals" out there if their resumes were to be believed, but in practice there are only a few gems to be found in that buzzword-compliant heap.

    I'm a computational biologist by profession, but on occasion have had to deal with various projects that involved some sort of security (be it in establishing secure external collaborations, or securing proprietary data in various analytical pipelines). I've seen IT security heads come and go and I've yet to meet one that I felt knew more than me -- and they should know MUCH more than me!

    I've met several true IT security professionals -- people that reeked of healthy paranoia and a truly fundamental knowledge of how things worked and interoperated. But, I've yet to see one in the wild looking for a job, much less hired by any company I've worked for.

    I think you're simply seeing blissful ignorance exacerbated by a confusing pool of self-proclaimed security professionals and a dearth of truly competent personnel. It's hard work, and the value of it simply isn't clear until it's too late.

  • I was the sole IT staff. For a major city in the North. My budget was $500.00 a month for any supplies or needed items. I was able to initiate a Network that spanned the city (from nothing) running most if not all of the cable and connections, building servers, initiating a domain presence, and also coding duties. I made 1/3 of what I make now. Without any of the responsibility I used to have then. IT is a 'loss leader' and Business (especially government for some reason) does not seem to be able to jus

  • They left out what I feel are a few glaring deficiencies in the IT world, a lack of catering and free back rubs.

Slashdot Top Deals

Genetics explains why you look like your father, and if you don't, why you should.

Close