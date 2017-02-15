Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Sead Fadilpasic, writing for BetaNews: There's a severe disconnect between IT decision makers and C-suite executives when it comes to handling cyber attacks. Namely, both believe the other one is responsible for keeping a company safe. This is according to a new and extensive research by BAE Systems. A total of 221 C-suite executives and 984 IT decision-makers were polled or the report. According to the research, a third (35 percent) of C-suite executives believe IT teams are responsible for data breaches. On the other hand, 50 percent of IT decision makers would place that responsibility in the hands of their senior management. Cost estimates of a successful breach also differ. IT decision makers think it would set them back $19.2 million, while C-suite thinks of a lesser figure, $11.6m. C-level thinks a tenth (10 percent) of their company's IT budget is spent on cyber security, while IT decision makers think that's 15 percent. Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.

  • They just don't care (Score:3, Insightful)

    by Anonymous Coward on Wednesday February 15, 2017 @12:26PM (#53874241)

    Much like breaking the law and paying a fine has become a cost of doing business, so too has getting hacked and paying a lawsuit settlement become a cost of doing business. No one goes to jail, no one cares. The legal calculus is the same.

  • Toys, toys, toys... (Score:5, Insightful)

    by chill ( 34294 ) on Wednesday February 15, 2017 @12:31PM (#53874289) Journal

    If the C-Suite wants to give the responsibility to IT for security decisions, they can start by losing their "I have to have this cool gadget, but there is no business justification" toys.

    They can also stop demanding to be exceptions to any security policy that inconveniences them, like full-disk encryption, local administrative rights, multi-factor authentication and complex passwords.

    • local administrative rights are needed by some software.

      Well if need to have 2 laptops then I need 2 data cards with world wide data. Or is to ok use an hot spot for both?

  • IT needs to get tough (Score:2, Insightful)

    by Anonymous Coward

    Managers don't care about security. They give you no time and resources to properly implement it. Then when the breach happens, they suddenly care A LOT about security, and it's all your fault.

    There needs to be set security standards for the industry, and managers should have to sign off saying they don't care about these standards when they choose not to allocate the proper time and resources for security.

  • I know what a C-level exec is. What is an "IT Decision Maker?" The full article is basically the summary plus a bit of fluff with no sources and no additional information.

    Is "Decision Maker" ManagerSpeak for "Security Team?" Otherwise, it sounds like the study may just be contrasting the opinions of middle-upper and senior management, which sounds pointless.

    • Re: (Score:2)

      by creimer ( 824291 )

      What is an "IT Decision Maker?"

      The guy from Geek Squad who got hired to run the entire IT department by himself.

    • I would think that an IT decision maker is the one who has control of the IT budget.

  • When you have a situation where each party is blaming the other, the cause is almost always a lack of effective communication by BOTH sides.
    If each thinks that the other is responsible, then neither has successfully articulated their opinions to the other.
    As an IT person, I do not mind being given the responsibility for handling cyber attacks, as long as I am also given the express authority that "handling" will require, and the budget to provision security and prevention measures.
    Of course, I am not going

    • Pretty much. People have an over-inflated sense of self-importance (IT says not being able to effectively do their job costs company millions more than C-level executives think it will) and want everything to be someone else's fault. QED.

      I can tell people what risk I can and can't handle given a budget. I'm not in that position; I'm just tech labor. I'm fully-capable of performing proper organizational risk assessment, planning risk controls, and assembling the necessary tools and procedures to contro

  • The IT people are the one who understand the issues and can put things in place.

    The C-suites must give the IT people the budget and the power - including telling C-suites that they cannot run their favourite games on corporate equipment.

    In the event of a problem the C-suites must be the ones who are blamed, even if the IT people screw up (as they should have checked what they were being told by IT). This is the only way that there is a hope in hell that we might get close to getting this nailed.

    This is one

  • Odd (Score:2)

    by geek ( 5680 )

    Security decisions ultimately come from the board of directors, not the C-Suite or the IT department. The board dictates what direction they way, the C-Suite manages that direction and IT executes the plan.

    C-Suite should never be involved with security decisions beyond doing what they are told by the board. History I believe bares this out.

  • How can the IT department be held responsible if they aren't the ones making the decisions? The 'C-suite execs' have to authorize them first. Amirite?

  • 3rd party vendors also have control and can make it hard to lock stuff down.

  • Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.

    In related news, 85% of both groups combined think they are good at their jobs.

    Interviewer: You get paid the big bucks. Are you doing it wrong?

    Interviewee #1: Well, gosh, I don't know.

    Interviewee #2: Every damn time, and twice for breakfast.

    Interviewer: Uh, #2, how long have you held your current rank.

    Interviewee #2: The previous numbnut is still fumbling for his keys in the parking lot, with all his execu

  • I'd say the only thing one can accurately get out of TFS is the fact that no one involved wants to be the scapegoat when the shit hits the fan.

    Gotta love it when fucking finger pointing is the true cause of a vulnerable environment.

