Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Businesses Privacy Security IT Technology

IT Decisions Makers and Executives Don't Agree On Cyber Security Responsibility (betanews.com) 119

Sead Fadilpasic, writing for BetaNews: There's a severe disconnect between IT decision makers and C-suite executives when it comes to handling cyber attacks. Namely, both believe the other one is responsible for keeping a company safe. This is according to a new and extensive research by BAE Systems. A total of 221 C-suite executives and 984 IT decision-makers were polled or the report. According to the research, a third (35 percent) of C-suite executives believe IT teams are responsible for data breaches. On the other hand, 50 percent of IT decision makers would place that responsibility in the hands of their senior management. Cost estimates of a successful breach also differ. IT decision makers think it would set them back $19.2 million, while C-suite thinks of a lesser figure, $11.6m. C-level thinks a tenth (10 percent) of their company's IT budget is spent on cyber security, while IT decision makers think that's 15 percent. Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.
This discussion has been archived. No new comments can be posted.

IT Decisions Makers and Executives Don't Agree On Cyber Security Responsibility

Comments Filter:
  • by Anonymous Coward on Wednesday February 15, 2017 @12:26PM (#53874241)

    Much like breaking the law and paying a fine has become a cost of doing business, so too has getting hacked and paying a lawsuit settlement become a cost of doing business. No one goes to jail, no one cares. The legal calculus is the same.

    • by TWX ( 665546 )
      Then the lawsuit settlement is too low.

      I expect that insurance companies haven't yet truly figured out how to price the insurance they sell for this, and the long-term costs borne by the compromised companies haven't yet been truly realized yet.

      If these costs shift back to the company that allowed the breach to happen then perhaps they'll start leaning on the vendors that they source their IT from, to get those vendors to start paying attention to security.
    • if it weren't for the IT department, executives would not have a job.
    • Much like breaking the law and paying a fine has become a cost of doing business, so too has getting hacked and paying a lawsuit settlement become a cost of doing business. No one goes to jail, no one cares. The legal calculus is the same.

      Fact is, it's the cost of doing business but at the end of the day shifting that mentality from reactive to pro-active is in the customer's hands. A company will react quickly if customers are known run away from your brand after a security breach.

    • They actually do care in sectors like healthcare where information is heavily protected by law through HIPAA and it definitely is everyone's concern.
      Fines are high and the damage to the business may be even higher. Stocks go down. Partners don't trust you anymore with their data.
      You bet the C-suite is concerned if a breach means their 50 million $ worth of stock just dropped by 50%.
  • by chill ( 34294 ) on Wednesday February 15, 2017 @12:31PM (#53874289) Journal

    If the C-Suite wants to give the responsibility to IT for security decisions, they can start by losing their "I have to have this cool gadget, but there is no business justification" toys.

    They can also stop demanding to be exceptions to any security policy that inconveniences them, like full-disk encryption, local administrative rights, multi-factor authentication and complex passwords.

    • local administrative rights are needed by some software.

      Well if need to have 2 laptops then I need 2 data cards with world wide data. Or is to ok use an hot spot for both?

      • by Anonymous Coward

        local administrative rights are needed by some software.

        No, they usually aren't. Even antique software that "needs" administrator rights can usually be worked around by giving the local user write permission to that individual program's folder in Program Files. The occasionaly _really_ stupid program that stores its configuration in \Windows\System32, or somewhere equivalently boneheaded can still be worked around by running it as admin once, then giving the end user write permission to the files it creates to store its configuration.

        The only real reason to nee

      • by Shoten ( 260439 )

        local administrative rights are needed by some software.

        Well if need to have 2 laptops then I need 2 data cards with world wide data. Or is to ok use an hot spot for both?

        This is less- and less-frequently true these days. More importantly, it's less-frequently true because companies are taking away admin rights, at which point they then notice which software is written this way. And in turn, that software often gets replaced by something that's better-written since it represents a security risk by confounding the business' need to properly control user access rights.

        • And what if an CEO needs both an locked down system and a system for there own stuff?

          • Perhaps a CEO makes enough money to afford their own home computer for personal stuff. There is no reason that a CEO even should be using the company computer for personal stuff, they would fire an employee for doing it, why would they be exempt from the policy?

        • by jezwel ( 2451108 )

          software often gets replaced by something that's better-written since it represents a security risk by confounding the business' need to properly control user access rights.

          When did you last try and use Adobe Creative Cloud software in an enterprise setting? Yuck.

    • IT needs board level power over the c suite.
    • by Anonymous Coward

      If the C-Suite wants to give the responsibility to IT for security decisions, they can start by losing their "I have to have this cool gadget, but there is no business justification" toys.

      They can also stop demanding to be exceptions to any security policy that inconveniences them, like full-disk encryption, local administrative rights, multi-factor authentication and complex passwords.

      I left my job as an engineer at a Fortune 10 company, Ford Motor Company, and not having local admin rights on my computer was in my top 3 reasons why. You are conflating having useless "cool gadgets" and having access to local administration on my computer as inconveniences? What you call "inconvenience" is a major road block to getting shit done in a timely and efficient manner. I am not joking when I say this: I will never work at a job where I can't have control of the computer I have to use. I ask abou

      • by dave562 ( 969951 )

        That seems like cutting off your nose to spite your face. I went through the same thing, but I shrugged and moved on. I do not know what your desktop support team was like at Ford, but the guys where I am have everything running very well.

        Windows 10, plus System Center and dare I say it Office 365 (2016) seem to be a good combination. Security updates are pushed out at the end of the Patch Tuesday (RIP) week. They are using PGP FDE and SSO through there works great. It does suck having to wait 4-6 hour

    • by dave562 ( 969951 )

      This seems pretty disconnected from reality. Any C-suite in a publicly traded corporation with a chief compliance officer is not going to be demanding exceptions from security policies. Those security policies are in place and enforced.

      Let's take them one by one.

      Full Disk Encryption - No way around that one. Every device has it. Period.

      Local Admin Rights - What CEO wants to admin their own device? That is what the help desk / admin assistants are for. Really? C-suite, doing IT grunt work. Hahahahaha

  • by Anonymous Coward on Wednesday February 15, 2017 @12:37PM (#53874341)

    Managers don't care about security. They give you no time and resources to properly implement it. Then when the breach happens, they suddenly care A LOT about security, and it's all your fault.

    There needs to be set security standards for the industry, and managers should have to sign off saying they don't care about these standards when they choose not to allocate the proper time and resources for security.

    • down time for reboots for updates needs to be ok.

    • When the breach happens, they care about one thing: Who "caused" it. They want to shitcan someone, say the problem is solved because the parties responsible are no longer working there, and continue on the same way, fundamentally insecure as before. Bonus points if they decide to bother running as a DA: "dsquery user | dsmod user -mustchpwd yes" so they can tell the press that "security precautions were taken."

      Even repeated breaches won't change this behavior, because it is a cost of doing business.

    • by skids ( 119237 )

      The answer to TFAs dilemna is "neither is responsible." Security is the responsibility of your designated cybersecurity officer. If you don't have one, you are doing it wrong. You need someone who can focus solely on security tech and policies. IT should be security-tech-aware as far as they can without losing focus on actual IT equipment, and C-suite should be security-policy-aware without micromanaging security (and a bit of big picture over both of those sides doesn't hurt.)
      You don't want IT guys spe

      • The answer to TFAs dilemna is "neither is responsible."

        Actually, I'd argue both are. C-level Execs are b/c they don't often allocate sufficient fund and downplay the possibilities that things will go wrong. In essence, they are creating some risk they don't have to create simply for funding reasons, and they should own that responsibility. And the presence (or lack thereof) of a Cyber Security Officer is a C-Level Exec decision; most companies don't need one - but then, their IT manager is essentially taking on that role - realize, most companies are barely bi

  • I know what a C-level exec is. What is an "IT Decision Maker?" The full article is basically the summary plus a bit of fluff with no sources and no additional information.

    Is "Decision Maker" ManagerSpeak for "Security Team?" Otherwise, it sounds like the study may just be contrasting the opinions of middle-upper and senior management, which sounds pointless.
    • What is an "IT Decision Maker?"

      The guy from Geek Squad who got hired to run the entire IT department by himself.

    • I would think that an IT decision maker is the one who has control of the IT budget.

    • Security is the responsibility of the CSO.
      Don't have a CSO? Well *there's* your problem. The board and the other Cs should have made sure there was a CSO.

      Obviously, if the board and president blow off the CSO's warnings, override his decisions, and don't provide the needed budget, that's on them. It is the responsibility of thr CSO to document those facts.

      • Security is the responsibility of the CSO. Don't have a CSO? Well *there's* your problem. The board and the other Cs should have made sure there was a CSO.

        Realize, the vast majority of companies have (a) a president/CEO and (b) a CFO and that's their entire C-level exec suite. Moreover, when it comes to small companies, the CFO is often an external accountant and not a real CFO; they're auditing and doing tax work, and providing guidance to someone that has no accounting background on how to do the books.

        • I've worked at companies with 2,000 employees or less that have someone designated as being in charge of security. Many companies don't, that doesn't mean they can't or shouldn't.

          > the CFO is often an external accountant and not a real CFO; they're auditing and doing tax work, and providing guidance

          A similar model can be used for security. Companies like Alert Logic provide the backing of thousands of security experts in a 24/7 Security Operations Center at a cost starting at dozens of dollars per month

          • I've worked at companies with 2,000 employees or less that have someone designated as being in charge of security. Many companies don't, that doesn't mean they can't or shouldn't.

            Most companies are 100 employees total, even 50 employees. So yeah - they can't. Everyone is carries multiple duties as it is.

  • by Stolpskott ( 2422670 ) on Wednesday February 15, 2017 @12:43PM (#53874413)

    When you have a situation where each party is blaming the other, the cause is almost always a lack of effective communication by BOTH sides.
    If each thinks that the other is responsible, then neither has successfully articulated their opinions to the other.
    As an IT person, I do not mind being given the responsibility for handling cyber attacks, as long as I am also given the express authority that "handling" will require, and the budget to provision security and prevention measures.
    Of course, I am not going to get the budget that I ask for, no department head ever does. But then my acceptance of that budget comes with the written caveat that a reduced budget directly impacts my ability to "handle" cyber incidents and will increase the risk of successful attacks or sub-optimal mitigation of attacks.

    • Pretty much. People have an over-inflated sense of self-importance (IT says not being able to effectively do their job costs company millions more than C-level executives think it will) and want everything to be someone else's fault. QED.

      I can tell people what risk I can and can't handle given a budget. I'm not in that position; I'm just tech labor. I'm fully-capable of performing proper organizational risk assessment, planning risk controls, and assembling the necessary tools and procedures to contro

      • by dave562 ( 969951 )

        Finally, someone who actually has some experience. You are right on point sir.

        "Here is the risk. Here is the cost to mitigate the risk. Here is the risk of doing nothing. Let me know which way you want me to go. Please respond via email so that when the risk you decided you didn't want to mitigate materializes, you, me and everyone else understands who made the decision to ignore it."

  • The IT people are the one who understand the issues and can put things in place.

    The C-suites must give the IT people the budget and the power - including telling C-suites that they cannot run their favourite games on corporate equipment.

    In the event of a problem the C-suites must be the ones who are blamed, even if the IT people screw up (as they should have checked what they were being told by IT). This is the only way that there is a hope in hell that we might get close to getting this nailed.

    This is one

  • by geek ( 5680 )

    Security decisions ultimately come from the board of directors, not the C-Suite or the IT department. The board dictates what direction they way, the C-Suite manages that direction and IT executes the plan.

    C-Suite should never be involved with security decisions beyond doing what they are told by the board. History I believe bares this out.

    • Not every company has a board of directors. Public companies probably do, but not private or family owned.
  • How can the IT department be held responsible if they aren't the ones making the decisions? The 'C-suite execs' have to authorize them first. Amirite?

  • 3rd party vendors also have control and can make it hard to lock stuff down.

  • Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.

    In related news, 85% of both groups combined think they are good at their jobs.

    Interviewer: You get paid the big bucks. Are you doing it wrong?

    Interviewee #1: Well, gosh, I don't know.

    Interviewee #2: Every damn time, and twice for breakfast.

    Interviewer: Uh, #2, how long have you held your current rank.

    Interviewee #2: The previous numbnut is still fumbling for his keys in the parking lot, with all his execu

    • I'm the janitor. The chief custodian wears a shirt and tie, so I do, too. Always dress like the boss, you know.

      A recruiter sent me off to a bio tech company to interview for an IT support job. She told me to dress up in a suit and tie. I go into the lobby that doesn't have a receptionist, call the IT manager, and sat down. For 90 minutes people came and went through the lobby. I kept getting phone calls from the recruiter where the hell I was. Finally, a guy in sweat pants and shirt asked me who I was there to see. He was the IT manager. The CEO was dressed worse than him. Everyone, including all the scientists walk

      • by sconeu ( 64226 )

        I bailed in a similar situation. I went for an interview, told the receptionist I was there for an interview and who my contact was.

        45 minutes later, I called my recruiter and told him I was bailing out.

        • I bailed in a similar situation.

          At that time I was out of work for two years and getting ready to file Chapter Seven bankruptcy. Bailing out wasn't an option. Not long after that interview, I started working multiple jobs for seven days a week for the next two years to recover from the Great Recession.

      • 90 minutes? That's about an hour longer than I'd have been there.

        Remember that job interviews are a 2-way street - you're interviewing the company to see if you even want to work there.
        That lack of respect for time, lack of awareness of everyone who walked by you, and the lack of self respect in attire says you made the right call.

        • That lack of respect for time, lack of awareness of everyone who walked by you, and the lack of self respect in attire says you made the right call.

          The IT manager was looking for a drinking buddy than a tech. Those guys and everyone around them who don't keep a professional distance tend to get fired by management.

  • I'd say the only thing one can accurately get out of TFS is the fact that no one involved wants to be the scapegoat when the shit hits the fan.

    Gotta love it when fucking finger pointing is the true cause of a vulnerable environment.

  • by Anonymous Coward

    Shouldn't the real question be why to we allow vendors to make and sale products with insecure features, and standards, such as Flash, JAVA, VBS, etc..
    The real problem comes from the standard that allows remote code execution on the user's machine. If you force people to use crappy tools you get crappy systems.

  • The issue isn't that each thinks the other is responsible, it's that each thinks they, themselves, are not.

    IT people have to be the ones to implement. Executives have to pay for it. Proper security cannot be done without both buying in fully.

    To frame the issue any other way is to fail.

  • Well IT is responsible for all the network equipment and infrastructure so if the data breach occurred because something was incorrectly configured then IT is 100% responsible. If the breach occurred on stationary work computers, that were NOT BYOC, IT is responsible. If the data breach occurred because the network was accessed and that access was not correctly configured, IT is responsible. If a computer enters the network that is not pre-authorized and already vetted, and gains unauthorized access IT i
    • If a computer enters the network that is not pre-authorized and already vetted, and gains unauthorized access IT is responsible.

      I worked on a PC refresh project where the engineers were told that weren't going to keep their old workstation after the data transfer. Next morning they couldn't connect to the network with either the new or old workstations. Took an IT tech a better part of the day to track down a half-dozen rogue routers that were being used as a switches for the new and old workstations. Since the users didn't bother to turn off DHCP server on the routers, all nearby systems had a 192.168.1.x network address that went

      • Each port on the network switch should of been MAC bonded and then if someone connected an unauthorized device, it would of shut down the port and thrown an alarm with the offending MAC address, which can then be traced to the device being plugged in. This is exactly how I handle all the switches in all my networks.
        • This is exactly how I handle all the switches in all my networks.

          That wasn't my experience at the Fortune 500 companies I've worked at. When I got into government IT, everything got locked down tight. Put a USB stick into your workstation, security will be at your desk in five minutes to take it away.

  • I wonder many C-level executives can name their IT employees past the CIO/CTO or VP...
  • Upper management just knows never to let profit be wasted on yet more hardware and software?
    What about the generation shareholders? Executive bonuses are enjoyed every year. Why is that profit going on security hardware and software?

    Are US legal teams haunted by some open court event in the 1980's or 1990's?
    Logs finally showed an issue, law enforcement got contacted is all the compliance that needs to be public.
    Showing a team understood an issue but could not prevent it or failed to report an is
  • by sdinfoserv ( 1793266 ) on Wednesday February 15, 2017 @08:01PM (#53877299)
    It's the responsibility of IT decision makers to educate executives the value of cyber security security. Proper education is a risk/benefit/cost analysis rather than just fear mongering.
    The goal is to get executive support for both programs and resources (especially $$$) that allow IT decision makers to implement proper security.
    If IT decision makers are unable to influence and persuade, pass the management hat and go back to coding.
  • IT should be responsible if given sufficient resources and latitude to implement security measures. The problem is that that is not always the case. Many times one of those is lacking and that is the responsibility of the executives.

It's been a business doing pleasure with you.

Working...