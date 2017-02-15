IT Decisions Makers and Executives Don't Agree On Cyber Security Responsibility (betanews.com) 37
Sead Fadilpasic, writing for BetaNews: There's a severe disconnect between IT decision makers and C-suite executives when it comes to handling cyber attacks. Namely, both believe the other one is responsible for keeping a company safe. This is according to a new and extensive research by BAE Systems. A total of 221 C-suite executives and 984 IT decision-makers were polled or the report. According to the research, a third (35 percent) of C-suite executives believe IT teams are responsible for data breaches. On the other hand, 50 percent of IT decision makers would place that responsibility in the hands of their senior management. Cost estimates of a successful breach also differ. IT decision makers think it would set them back $19.2 million, while C-suite thinks of a lesser figure, $11.6m. C-level thinks a tenth (10 percent) of their company's IT budget is spent on cyber security, while IT decision makers think that's 15 percent. Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.
They just don't care (Score:3, Insightful)
Much like breaking the law and paying a fine has become a cost of doing business, so too has getting hacked and paying a lawsuit settlement become a cost of doing business. No one goes to jail, no one cares. The legal calculus is the same.
Toys, toys, toys... (Score:5, Insightful)
If the C-Suite wants to give the responsibility to IT for security decisions, they can start by losing their "I have to have this cool gadget, but there is no business justification" toys.
They can also stop demanding to be exceptions to any security policy that inconveniences them, like full-disk encryption, local administrative rights, multi-factor authentication and complex passwords.
local administrative rights are needed by some software.
Well if need to have 2 laptops then I need 2 data cards with world wide data. Or is to ok use an hot spot for both?
IT needs to get tough (Score:2, Insightful)
Managers don't care about security. They give you no time and resources to properly implement it. Then when the breach happens, they suddenly care A LOT about security, and it's all your fault.
There needs to be set security standards for the industry, and managers should have to sign off saying they don't care about these standards when they choose not to allocate the proper time and resources for security.
down time for reboots for updates needs to be ok (Score:2)
down time for reboots for updates needs to be ok.
What is a "Decision Maker?" (Score:2)
Is "Decision Maker" ManagerSpeak for "Security Team?" Otherwise, it sounds like the study may just be contrasting the opinions of middle-upper and senior management, which sounds pointless.
What is an "IT Decision Maker?"
The guy from Geek Squad who got hired to run the entire IT department by himself.
I would think that an IT decision maker is the one who has control of the IT budget.
God forbid anyone make a fucking typo on twitter right? Fuck off you petty little bitch
Dude, please! Grammar!
Twitter is a proper noun, so capitalize it. And there should be a comma between "Twitter" and "right". There should also be a comma between "petty" and "little", as they both are adjectives describing "bitch". And finally, some punctuation after the second sentence. From your tone I'd suggest an exclamation point, but a period could also be acceptable if you want to imply exasperation instead of passion.
God forbid anyone make a fucking typo on twitter right?
Spellcheckers exist for a reason. If you're releasing information to the public, it should be error free.
Fuck off you petty little bitch
Ignorance is not a virtue.
Disconnect = Lack of effective communication (Score:2)
When you have a situation where each party is blaming the other, the cause is almost always a lack of effective communication by BOTH sides.
If each thinks that the other is responsible, then neither has successfully articulated their opinions to the other.
As an IT person, I do not mind being given the responsibility for handling cyber attacks, as long as I am also given the express authority that "handling" will require, and the budget to provision security and prevention measures.
Of course, I am not going
Pretty much. People have an over-inflated sense of self-importance (IT says not being able to effectively do their job costs company millions more than C-level executives think it will) and want everything to be someone else's fault. QED.
I can tell people what risk I can and can't handle given a budget. I'm not in that position; I'm just tech labor. I'm fully-capable of performing proper organizational risk assessment, planning risk controls, and assembling the necessary tools and procedures to contro
Both (Score:2)
The IT people are the one who understand the issues and can put things in place.
The C-suites must give the IT people the budget and the power - including telling C-suites that they cannot run their favourite games on corporate equipment.
In the event of a problem the C-suites must be the ones who are blamed, even if the IT people screw up (as they should have checked what they were being told by IT). This is the only way that there is a hope in hell that we might get close to getting this nailed.
This is one
What about old software stuck on 2003 / xp / etc? (Score:2)
What about old software stuck on 2003 / xp / etc? That the suits don't want to shell out the cost to buy new apps that run on 10 / 2012 / 2016?
Odd (Score:2)
Security decisions ultimately come from the board of directors, not the C-Suite or the IT department. The board dictates what direction they way, the C-Suite manages that direction and IT executes the plan.
C-Suite should never be involved with security decisions beyond doing what they are told by the board. History I believe bares this out.
Wait, what? (Score:1)
How can the IT department be held responsible if they aren't the ones making the decisions? The 'C-suite execs' have to authorize them first. Amirite?
3rd party vendors also have control and can make (Score:2)
3rd party vendors also have control and can make it hard to lock stuff down.
from the Journal of Predictable Answers (Score:2)
In related news, 85% of both groups combined think they are good at their jobs.
Interviewer: You get paid the big bucks. Are you doing it wrong?
Interviewee #1: Well, gosh, I don't know.
Interviewee #2: Every damn time, and twice for breakfast.
Interviewer: Uh, #2, how long have you held your current rank.
Interviewer: Uh, #2, how long have you held your current rank.
Scapegoats and finger pointing. (Score:2)
I'd say the only thing one can accurately get out of TFS is the fact that no one involved wants to be the scapegoat when the shit hits the fan.
Gotta love it when fucking finger pointing is the true cause of a vulnerable environment.