IT Decisions Makers and Executives Don't Agree On Cyber Security Responsibility (betanews.com) 119
Sead Fadilpasic, writing for BetaNews: There's a severe disconnect between IT decision makers and C-suite executives when it comes to handling cyber attacks. Namely, both believe the other one is responsible for keeping a company safe. This is according to a new and extensive research by BAE Systems. A total of 221 C-suite executives and 984 IT decision-makers were polled or the report. According to the research, a third (35 percent) of C-suite executives believe IT teams are responsible for data breaches. On the other hand, 50 percent of IT decision makers would place that responsibility in the hands of their senior management. Cost estimates of a successful breach also differ. IT decision makers think it would set them back $19.2 million, while C-suite thinks of a lesser figure, $11.6m. C-level thinks a tenth (10 percent) of their company's IT budget is spent on cyber security, while IT decision makers think that's 15 percent. Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.
They just don't care (Score:4, Insightful)
Much like breaking the law and paying a fine has become a cost of doing business, so too has getting hacked and paying a lawsuit settlement become a cost of doing business. No one goes to jail, no one cares. The legal calculus is the same.
Re: (Score:2)
I expect that insurance companies haven't yet truly figured out how to price the insurance they sell for this, and the long-term costs borne by the compromised companies haven't yet been truly realized yet.
If these costs shift back to the company that allowed the breach to happen then perhaps they'll start leaning on the vendors that they source their IT from, to get those vendors to start paying attention to security.
Re: (Score:1)
Re: (Score:2)
Much like breaking the law and paying a fine has become a cost of doing business, so too has getting hacked and paying a lawsuit settlement become a cost of doing business. No one goes to jail, no one cares. The legal calculus is the same.
Fact is, it's the cost of doing business but at the end of the day shifting that mentality from reactive to pro-active is in the customer's hands. A company will react quickly if customers are known run away from your brand after a security breach.
Re: (Score:2)
Fines are high and the damage to the business may be even higher. Stocks go down. Partners don't trust you anymore with their data.
You bet the C-suite is concerned if a breach means their 50 million $ worth of stock just dropped by 50%.
Toys, toys, toys... (Score:5, Insightful)
If the C-Suite wants to give the responsibility to IT for security decisions, they can start by losing their "I have to have this cool gadget, but there is no business justification" toys.
They can also stop demanding to be exceptions to any security policy that inconveniences them, like full-disk encryption, local administrative rights, multi-factor authentication and complex passwords.
Re: (Score:2)
local administrative rights are needed by some software.
Well if need to have 2 laptops then I need 2 data cards with world wide data. Or is to ok use an hot spot for both?
Re: (Score:3)
That simply doesn't work. Do this, and most likely before you've granted admin rights to two users, you'll have one who says "Ok, sure, I'll take responsibility for all that.", and subsequently never, ever acts as if they're responsible.
Then, when something bad happens because they've done something nutty with admin privs, IT finds out they have absolutely no teeth with which to enforce accountability.
Re: (Score:1)
local administrative rights are needed by some software.
No, they usually aren't. Even antique software that "needs" administrator rights can usually be worked around by giving the local user write permission to that individual program's folder in Program Files. The occasionaly _really_ stupid program that stores its configuration in \Windows\System32, or somewhere equivalently boneheaded can still be worked around by running it as admin once, then giving the end user write permission to the files it creates to store its configuration.
The only real reason to nee
Re: (Score:2)
local administrative rights are needed by some software.
Well if need to have 2 laptops then I need 2 data cards with world wide data. Or is to ok use an hot spot for both?
This is less- and less-frequently true these days. More importantly, it's less-frequently true because companies are taking away admin rights, at which point they then notice which software is written this way. And in turn, that software often gets replaced by something that's better-written since it represents a security risk by confounding the business' need to properly control user access rights.
Re: (Score:2)
And what if an CEO needs both an locked down system and a system for there own stuff?
Re: (Score:2)
Perhaps a CEO makes enough money to afford their own home computer for personal stuff. There is no reason that a CEO even should be using the company computer for personal stuff, they would fire an employee for doing it, why would they be exempt from the policy?
Re: (Score:1)
software often gets replaced by something that's better-written since it represents a security risk by confounding the business' need to properly control user access rights.
When did you last try and use Adobe Creative Cloud software in an enterprise setting? Yuck.
Re: (Score:2)
Re: (Score:1)
If the C-Suite wants to give the responsibility to IT for security decisions, they can start by losing their "I have to have this cool gadget, but there is no business justification" toys.
They can also stop demanding to be exceptions to any security policy that inconveniences them, like full-disk encryption, local administrative rights, multi-factor authentication and complex passwords.
I left my job as an engineer at a Fortune 10 company, Ford Motor Company, and not having local admin rights on my computer was in my top 3 reasons why. You are conflating having useless "cool gadgets" and having access to local administration on my computer as inconveniences? What you call "inconvenience" is a major road block to getting shit done in a timely and efficient manner. I am not joking when I say this: I will never work at a job where I can't have control of the computer I have to use. I ask abou
Re: (Score:3)
That seems like cutting off your nose to spite your face. I went through the same thing, but I shrugged and moved on. I do not know what your desktop support team was like at Ford, but the guys where I am have everything running very well.
Windows 10, plus System Center and dare I say it Office 365 (2016) seem to be a good combination. Security updates are pushed out at the end of the Patch Tuesday (RIP) week. They are using PGP FDE and SSO through there works great. It does suck having to wait 4-6 hour
Re: (Score:2)
This seems pretty disconnected from reality. Any C-suite in a publicly traded corporation with a chief compliance officer is not going to be demanding exceptions from security policies. Those security policies are in place and enforced.
Let's take them one by one.
Full Disk Encryption - No way around that one. Every device has it. Period.
Local Admin Rights - What CEO wants to admin their own device? That is what the help desk / admin assistants are for. Really? C-suite, doing IT grunt work. Hahahahaha
IT needs to get tough (Score:3, Insightful)
Managers don't care about security. They give you no time and resources to properly implement it. Then when the breach happens, they suddenly care A LOT about security, and it's all your fault.
There needs to be set security standards for the industry, and managers should have to sign off saying they don't care about these standards when they choose not to allocate the proper time and resources for security.
down time for reboots for updates needs to be ok (Score:2)
down time for reboots for updates needs to be ok.
Re: (Score:2)
When the breach happens, they care about one thing: Who "caused" it. They want to shitcan someone, say the problem is solved because the parties responsible are no longer working there, and continue on the same way, fundamentally insecure as before. Bonus points if they decide to bother running as a DA: "dsquery user | dsmod user -mustchpwd yes" so they can tell the press that "security precautions were taken."
Even repeated breaches won't change this behavior, because it is a cost of doing business.
Re: (Score:2)
The answer to TFAs dilemna is "neither is responsible." Security is the responsibility of your designated cybersecurity officer. If you don't have one, you are doing it wrong. You need someone who can focus solely on security tech and policies. IT should be security-tech-aware as far as they can without losing focus on actual IT equipment, and C-suite should be security-policy-aware without micromanaging security (and a bit of big picture over both of those sides doesn't hurt.)
You don't want IT guys spe
Re: (Score:2)
The answer to TFAs dilemna is "neither is responsible."
Actually, I'd argue both are. C-level Execs are b/c they don't often allocate sufficient fund and downplay the possibilities that things will go wrong. In essence, they are creating some risk they don't have to create simply for funding reasons, and they should own that responsibility. And the presence (or lack thereof) of a Cyber Security Officer is a C-Level Exec decision; most companies don't need one - but then, their IT manager is essentially taking on that role - realize, most companies are barely bi
What is a "Decision Maker?" (Score:2)
Is "Decision Maker" ManagerSpeak for "Security Team?" Otherwise, it sounds like the study may just be contrasting the opinions of middle-upper and senior management, which sounds pointless.
Re: (Score:2)
What is an "IT Decision Maker?"
The guy from Geek Squad who got hired to run the entire IT department by himself.
Re: (Score:2)
I would think that an IT decision maker is the one who has control of the IT budget.
It's always the CSO's responsibility (Score:2)
Security is the responsibility of the CSO.
Don't have a CSO? Well *there's* your problem. The board and the other Cs should have made sure there was a CSO.
Obviously, if the board and president blow off the CSO's warnings, override his decisions, and don't provide the needed budget, that's on them. It is the responsibility of thr CSO to document those facts.
Re: (Score:2)
Security is the responsibility of the CSO. Don't have a CSO? Well *there's* your problem. The board and the other Cs should have made sure there was a CSO.
Realize, the vast majority of companies have (a) a president/CEO and (b) a CFO and that's their entire C-level exec suite. Moreover, when it comes to small companies, the CFO is often an external accountant and not a real CFO; they're auditing and doing tax work, and providing guidance to someone that has no accounting background on how to do the books.
Experts included (Score:2)
I've worked at companies with 2,000 employees or less that have someone designated as being in charge of security. Many companies don't, that doesn't mean they can't or shouldn't.
> the CFO is often an external accountant and not a real CFO; they're auditing and doing tax work, and providing guidance
A similar model can be used for security. Companies like Alert Logic provide the backing of thousands of security experts in a 24/7 Security Operations Center at a cost starting at dozens of dollars per month
Re: (Score:2)
I've worked at companies with 2,000 employees or less that have someone designated as being in charge of security. Many companies don't, that doesn't mean they can't or shouldn't.
Most companies are 100 employees total, even 50 employees. So yeah - they can't. Everyone is carries multiple duties as it is.
Re: (Score:2)
I would say that a "Decision Maker" is the one capable of making such decisions, regardless of whether they are a CxO or a member of the IT team
That's what I was trying to get at. If a "Decision Maker" says it is someone else's responsibility, he is not making the decision.
Re: (Score:3)
*no wrong... unlike we mere mortals who make typos
Don't worry. Perfect spelling is no longer a requirement at the Department of Education.
http://wqad.com/2017/02/12/education-department-misspells-tweet-corrects-error-with-another-typo/ [wqad.com]
Re: (Score:2)
Crimer is the ahole who would give you heck for mistping a word if you are on the other side of the aisle from him, but if your own team can't find light switches, doesn't read executve orders before they sign them, and makes up msasacres then it was a simple mistake. amiright cremier?
This sentence is almost as annoying as an email from a receptionist who had a plugin for the Eudora email client that displayed each letter in a different color. People who downloaded email in plain text never saw the problem. The rest of us who downloaded in HTML saw the email in its full rainbow glory.
Re:C-Suite Attitudes (Score:4, Insightful)
Dude, please! Grammar!
Twitter is a proper noun, so capitalize it. And there should be a comma between "Twitter" and "right". There should also be a comma between "petty" and "little", as they both are adjectives describing "bitch". And finally, some punctuation after the second sentence. From your tone I'd suggest an exclamation point, but a period could also be acceptable if you want to imply exasperation instead of passion.
Re: (Score:3)
God forbid anyone make a fucking typo on twitter right?
Spellcheckers exist for a reason. If you're releasing information to the public, it should be error free.
Fuck off you petty little bitch
Ignorance is not a virtue.
Disconnect = Lack of effective communication (Score:3)
When you have a situation where each party is blaming the other, the cause is almost always a lack of effective communication by BOTH sides.
If each thinks that the other is responsible, then neither has successfully articulated their opinions to the other.
As an IT person, I do not mind being given the responsibility for handling cyber attacks, as long as I am also given the express authority that "handling" will require, and the budget to provision security and prevention measures.
Of course, I am not going to get the budget that I ask for, no department head ever does. But then my acceptance of that budget comes with the written caveat that a reduced budget directly impacts my ability to "handle" cyber incidents and will increase the risk of successful attacks or sub-optimal mitigation of attacks.
Re: (Score:3)
Pretty much. People have an over-inflated sense of self-importance (IT says not being able to effectively do their job costs company millions more than C-level executives think it will) and want everything to be someone else's fault. QED.
I can tell people what risk I can and can't handle given a budget. I'm not in that position; I'm just tech labor. I'm fully-capable of performing proper organizational risk assessment, planning risk controls, and assembling the necessary tools and procedures to contro
Re: (Score:2)
Finally, someone who actually has some experience. You are right on point sir.
"Here is the risk. Here is the cost to mitigate the risk. Here is the risk of doing nothing. Let me know which way you want me to go. Please respond via email so that when the risk you decided you didn't want to mitigate materializes, you, me and everyone else understands who made the decision to ignore it."
Both (Score:2)
The IT people are the one who understand the issues and can put things in place.
The C-suites must give the IT people the budget and the power - including telling C-suites that they cannot run their favourite games on corporate equipment.
In the event of a problem the C-suites must be the ones who are blamed, even if the IT people screw up (as they should have checked what they were being told by IT). This is the only way that there is a hope in hell that we might get close to getting this nailed.
This is one
What about old software stuck on 2003 / xp / etc? (Score:2)
What about old software stuck on 2003 / xp / etc? That the suits don't want to shell out the cost to buy new apps that run on 10 / 2012 / 2016?
Odd (Score:2)
Security decisions ultimately come from the board of directors, not the C-Suite or the IT department. The board dictates what direction they way, the C-Suite manages that direction and IT executes the plan.
C-Suite should never be involved with security decisions beyond doing what they are told by the board. History I believe bares this out.
Re: (Score:2)
Re: (Score:2)
They just won't pay someone to develop it right.
No, I don't think that's the case. Any security you pay for is introduced too late. No exceptions. You can't hire security-minded thinking. You need to get everyone to think of security to start with, instead of trying to hire security, and it won't cost nearly as much.
Wait, what? (Score:1)
How can the IT department be held responsible if they aren't the ones making the decisions? The 'C-suite execs' have to authorize them first. Amirite?
Re: (Score:2)
>but doesn't follow through
There's a marginal blame for lax follow through on the follow through that rolls uphill (or at least is supposed to) into middle management or higher.
Mind, this level of blame may be little more than mild reprimand for doing a meh job. Your point stands, IT's at fault if they were ordered to do X and didn't.
Re: (Score:2)
IT needs to clearly document what the threats are and the resources requested to mitigate the threats.
I think that's part of the problem. Those who have enough technical insight to see the actual problems aren't the same people who communicate with upper management, or have skills in doing so.
Of course, there are also unreasonable requirements too, like being able to document how likely each scenario is, or how high the corporate costs of any breech will be, given that IT isn't privy to the economic details of damage done to the rest of the business. So there will be a lot of SWAG, which may well end up a
3rd party vendors also have control and can make (Score:2)
3rd party vendors also have control and can make it hard to lock stuff down.
from the Journal of Predictable Answers (Score:2)
In related news, 85% of both groups combined think they are good at their jobs.
Interviewer: You get paid the big bucks. Are you doing it wrong?
Interviewee #1: Well, gosh, I don't know.
Interviewee #2: Every damn time, and twice for breakfast.
Interviewer: Uh, #2, how long have you held your current rank.
Interviewee #2: The previous numbnut is still fumbling for his keys in the parking lot, with all his execu
Re: (Score:2)
I'm the janitor. The chief custodian wears a shirt and tie, so I do, too. Always dress like the boss, you know.
A recruiter sent me off to a bio tech company to interview for an IT support job. She told me to dress up in a suit and tie. I go into the lobby that doesn't have a receptionist, call the IT manager, and sat down. For 90 minutes people came and went through the lobby. I kept getting phone calls from the recruiter where the hell I was. Finally, a guy in sweat pants and shirt asked me who I was there to see. He was the IT manager. The CEO was dressed worse than him. Everyone, including all the scientists walk
Re: (Score:2)
I bailed in a similar situation. I went for an interview, told the receptionist I was there for an interview and who my contact was.
45 minutes later, I called my recruiter and told him I was bailing out.
Re: (Score:2)
I bailed in a similar situation.
At that time I was out of work for two years and getting ready to file Chapter Seven bankruptcy. Bailing out wasn't an option. Not long after that interview, I started working multiple jobs for seven days a week for the next two years to recover from the Great Recession.
Re: (Score:2)
Sympathies. Dude. Glad you made it through.
Re: (Score:2)
90 minutes? That's about an hour longer than I'd have been there.
Remember that job interviews are a 2-way street - you're interviewing the company to see if you even want to work there.
That lack of respect for time, lack of awareness of everyone who walked by you, and the lack of self respect in attire says you made the right call.
Re: (Score:2)
That lack of respect for time, lack of awareness of everyone who walked by you, and the lack of self respect in attire says you made the right call.
The IT manager was looking for a drinking buddy than a tech. Those guys and everyone around them who don't keep a professional distance tend to get fired by management.
Scapegoats and finger pointing. (Score:2)
I'd say the only thing one can accurately get out of TFS is the fact that no one involved wants to be the scapegoat when the shit hits the fan.
Gotta love it when fucking finger pointing is the true cause of a vulnerable environment.
They are asking the wrong question. (Score:1)
Shouldn't the real question be why to we allow vendors to make and sale products with insecure features, and standards, such as Flash, JAVA, VBS, etc..
The real problem comes from the standard that allows remote code execution on the user's machine. If you force people to use crappy tools you get crappy systems.
Let's reframe the issue (Score:2)
The issue isn't that each thinks the other is responsible, it's that each thinks they, themselves, are not.
IT people have to be the ones to implement. Executives have to pay for it. Proper security cannot be done without both buying in fully.
To frame the issue any other way is to fail.
Simple Answer (Score:2)
Re: (Score:2)
If a computer enters the network that is not pre-authorized and already vetted, and gains unauthorized access IT is responsible.
I worked on a PC refresh project where the engineers were told that weren't going to keep their old workstation after the data transfer. Next morning they couldn't connect to the network with either the new or old workstations. Took an IT tech a better part of the day to track down a half-dozen rogue routers that were being used as a switches for the new and old workstations. Since the users didn't bother to turn off DHCP server on the routers, all nearby systems had a 192.168.1.x network address that went
Re: (Score:3)
Re: (Score:2)
This is exactly how I handle all the switches in all my networks.
That wasn't my experience at the Fortune 500 companies I've worked at. When I got into government IT, everything got locked down tight. Put a USB stick into your workstation, security will be at your desk in five minutes to take it away.
Re: (Score:2)
Re: (Score:2)
Sounds like you are incompetent if it takes you a day to recognize and find rogue routers.
It took the IT tech half a day to find and remove those routers. I was the Dell tech replacing the workstations, so it wasn't my problem that someone else was fouling up the networks.
Do you even ARP bro?
Please explain how to use ARP to find routers that are physically hidden behind two large workstations on the floor.
You are too busy eating 1500 calories a day while somehow weighing 350# and claiming it is from weight lifting.
That's relevant to this discussion how?
Re: (Score:2)
Assuming your switch ports are documented to their connected wallplates, you can find the device by dumping the ARP table in the switch then finding the associated wallplate based on the offending MAC in the table. Impossible if you aren't doing the correct level of documentation, child's play if you are.
I don't think the network team was involved. Since the problem started the next morning after the new workstations got rolled out the night before, it was viewed as a desktop problem and not a network problem. Once the routers were found, it became a user problem.
Better question (Score:1)
What happened? (Score:2)
What about the generation shareholders? Executive bonuses are enjoyed every year. Why is that profit going on security hardware and software?
Are US legal teams haunted by some open court event in the 1980's or 1990's?
Logs finally showed an issue, law enforcement got contacted is all the compliance that needs to be public.
Showing a team understood an issue but could not prevent it or failed to report an is
Yes to Both (Score:3)
The goal is to get executive support for both programs and resources (especially $$$) that allow IT decision makers to implement proper security.
If IT decision makers are unable to influence and persuade, pass the management hat and go back to coding.
This is actually a tricky thing (Score:2)