Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security The Internet IT Technology

83 Percent Of Security Staff Waste Time Fixing Other IT Problems (betanews.com) 204

An anonymous reader shares a report: A new survey of security professionals reveals that 83 percent say colleagues in other departments turn to them to fix personal computer problems. The study by security management company FireMon shows a further 80 percent say this is taking up more than an hour of their working week, which in a year could equate to more than $88,000. For organizations, eight percent of professionals surveyed helping colleagues out five hours a week or more could be costing over $400,000. Organizations are potentially paying qualified security professionals salaries upwards of $100,000 a year and seeing up to 12.5 percent of that investment being spent on non-security related activities.
This discussion has been archived. No new comments can be posted.

83 Percent Of Security Staff Waste Time Fixing Other IT Problems

Comments Filter:
  • by mykepredko ( 40154 ) on Thursday May 25, 2017 @04:36PM (#54487363) Homepage

    "IT personnel are usually the helpful, go-to people for sorting out issues"?

    If people are calling system security to help with computer issues that should be handled by the IT help desk then it's probably because:
    1. The issues being reported appear to be security problems.
    2. The IT helpdesk consists of condescending asshats which most employees avoid at all costs (based on my work experience, I bet this is the big reason).

    More seriously, if security staff are only being called in on inappropriate calls that take up less time in a given week than they spend choosing what to put in their coffee; you've got a pretty efficient IT setup with very little to worry about.

    Or you haven't gotten a clue as to what's going on and the North Koreans are actually running your business.

    • . . . the loose nut behind the keyboard.

      "I didn't change anything on my configuration, but my computer is not working any more, so it must be some automatic security restriction that happened automatically . . . "

      • by msauve ( 701917 )
        "I didn't change anything on my configuration, but my computer is not working any more, so it must be some automatic security restriction that happened automatically . . . "

        Obligatory [dilbert.com]
    • by rtb61 ( 674572 )

      To be fair business end users treat IT staff like shit blaming them for everything wrong with the crap coding produced by software companies. To be fair staff get rightly pissed off when their work is destroyed by the computer system approved by IT staff. To be fair the IT staff have no real choice in the software deployed and according to all the warranties, all software currently out on the market is shit and is not worth buying (read the warranty). Problem, neither the business users nor the IT staff, ge

    • Comment removed based on user account deletion
      • Those that works in IT Security generally have years, if not a decade or more, of tier 2 and teir 3 level experience. Meaning, they've long graduated helpdesk, and yet as the most experienced in the group, they're still the go-to people to seek regardless of the fact it's NOT THEIR JOB.

        I work in government IT on a nation-wide project for security remediation. Everyone has at least 20 years of IT experience. We are completely separate from the national help desk and the local desktop teams. The local sites kept trying to draft us for special projects because we took up valuable office space and gave nothing in return that improves the site's reporting metric. Our value weren't realized until the sites started passing routine security inspections with little effort on their part.

    • by Z00L00K ( 682162 )

      Local IT support employed by the same company usually fixes stuff easily, outsourced IT support is another factor - an urgent fix takes 48 hours and that don't help you when you have a problem with the projector in a conference room with a high profile customer that has to be fixed in 5 minutes.

  • I'll see myself out.
  • "Not only are modern IT security professionals faced with a growing complexity and skills gap and keeping up with technology investments and advancements, but they are also expected by colleagues to help them sort out their personal computing woes," says Michael Callahan, CMO of FireMon. "IT personnel are usually the helpful, go-to people for sorting out issues, but it's only when you start to cost it out that you realize how much money it equates to."

    Do they mean work colleagues come to them with problems instead of the "normal" IT staff? Or that other, non-security, IT staff are coming to them with problem they can't figure out on their own?

    In the first case why don't the security people direct the questions to the correct staff members? In the second case, either the company isn't spending enough on hiring and training and the "savings" there is coming back to bite them in the ass, or this is perfectly normal collaboration between colleagues. If ((

  • Coffee breaks? (Score:5, Insightful)

    by richardellisjr ( 584919 ) on Thursday May 25, 2017 @04:40PM (#54487395)
    And 90% spend 20 minutes a day getting coffee which requires an additional 20 minutes a day going to the bathroom. People spend time at work doing things other than what they are paid for, it's the nature of most jobs. Most companies accept this.
    • Yup, which is why a lot of places based work day estimates on 6 hour days, even though staff work for 8 hours.
      There's toilet breaks, there's staff meetings, there's coffee breaks, there's chatting to co-workers, there's posting on slashdot.

      • Yup, which is why a lot of places based work day estimates on 6 hour days, even though staff work for 8 hours.
        There's toilet breaks, there's staff meetings, there's coffee breaks, there's chatting to co-workers, there's posting on slashdot.

        Staff meetings are not work? Wait... nevermind.

        • >Staff meetings are not work?

          Good ones are... but I've been in IT for a couple of decades and been involved in a lot of meetings over that time at several different companies... and I can think of ONE meeting that was highly productive and I would consider 'good', and a handful of others that were moderately 'OK'.

          The rest were a waste of time where managers were playing around at 'communicating' and failing miserably. Usually, a well-written email would have done the job in a fraction of the time, and

          • Excuse yourself, something bad you ate. Don't come back. If they ask, tell them the paint was peeling in the bathroom/your office. They will thank you and you can get actual work done.

            If they bug you about it, next time, the night before, hard boiled eggs, KimChi and cheap beer...

          • The rest were a waste of time where managers were playing around at 'communicating' and failing miserably.

            I don't understand why this is so common, shouldn't managers be folks that were once NOT managers? I mean, I worked my way up from the bottom (though I have *NEVER* been any sort of "help desk"), and consider myself a pretty good manager that does not waste the valuable time of my worker bees. They don't need me to pontificate about "synergy" or some other bullshit. I call meetings when it's necessary for people to be on the same page, talk about project status and problems, maybe occasionally brainstorm if

        • by Z00L00K ( 682162 )

          Some companies have more meetings where issues are raised why they don't reach their goals than actual time over to do the work.

    • Without coffee, you wouldn't get anything done in our company. I have not had a single meeting where you didn't get your results during the coffee breaks rather than the actual meeting. Mostly because there is no protocol running during the breaks. You can simply ask what the fuck is their problem why they keep blocking your proposal, and you actually get a sensible answer to it, and then you can actually start to work on the problem.

      I'm currently trying to figure out a way how I can simply forgo meetings a

    • Splitting up your day with tasks such as keeping you awake, or motor tasks such as walking to the bathroom to relieve something that distracts you is positive.

      Distracting your work with other work isn't positive. It is just distracting and best and leads to burnout at worst.

  • Do you mean guys with guns on their hips? Or at least ones who place their hand thusly, giving the appearance they are armed?

    • A college roommate of mine became a network technician for the FBI. He carries a gun when out in the field. Some people don't like the idea that a forensic analysis of their PC can and will be used against them in a court of law..
  • How much extra time would a less qualified (lower paid) person be taking to do the same work?
    If they get paid 20% less but take twice as long, there is savings, not waste.

  • by gweihir ( 88907 ) on Thursday May 25, 2017 @04:48PM (#54487467)

    It serves to establish and maintain closer relationships between users and IT security people, so that, you know, if a user has a suspicion of a security problem, they feel more confident and approach IT security staff earlier. But that idea flays wayyyyy above the heads of MBA morons.

  • I wouldn't mind earning $88K for working one hour a week.

  • by Baron_Yam ( 643147 ) on Thursday May 25, 2017 @04:54PM (#54487513)

    1) The help desk won't tell the user they don't know how to do their job (and usually the user is so bad at describing the issue they probably haven't had a chance to figure out it's a PEBKAC issue) so they dispatch desktop support.

    2) Desktop support doesn't understand what's happening and doesn't communicate well with the user to get the details required to figure it out, so they blame network (security/policy/site connectivity/whatever).

    3) The network tech stops what they're doing to prove it's a desktop issue so they can push the job back down the chain.

    4) The desktop guys figure out the user is improperly trained - sometimes they're just clueless, sometimes there's a change and their department didn't do the training... or even a simple notification.

    That describes 80% of the tickets I am aware of in our organization. Sometimes it bounces back and forth between steps 2 and 3 a couple of times, to the user's frustration and the discredit of the IT department. The important thing is that I am neither tier 1 support nor a network guy, so I can mostly sit to the side and look down disdainfully at the whole farce without actually having to do something about it.

    • Comment removed (Score:4, Informative)

      by account_deleted ( 4530225 ) on Thursday May 25, 2017 @08:00PM (#54488383)
      Comment removed based on user account deletion
      • Yep. This is perhaps the best advice you can give anyone who does wide-ranging support over diverse systems. If you're a phone jockey for a specific piece of software or something, they might be a bit less relevant, but if you're desktop/server/networking/everything support then the advice above will save you a ton of time and grief.

        I would add that the 4th and final part would be the soft-skills to get the user to help you scope the issue without them getting angry ("Why are you doubting me?!") or frustrat

    • First off on the topic, I don't think it is all that surprising, but would add that it isn't just "Security staff", but essentially all IT staff not in a direct support roll. It happens to me all the time, and for the most part I'm happy to oblige if I can. It only becomes annoying when I have other priorities or pressures, and so-and-so wanders by and wants me to figure out his printer problem or something when I should be testing a corporate application for bugs on a deadline.

      Second I do have a limited su

  • I tell people to call the help desk phone line so I can spend more time commenting on Slashdot while waiting for the real security work to roll downhill.
    • >I tell people to call the help desk phone line

      I tell them to email our automated ticketing system. It creates a ticket with the correct user information and doesn't require our help desk staff to waste any time interpreting what the user's trying to say... the user just types out what they will and can attach a screen shot.

      Then the system does a keyword search and 99% of the time it will appropriately assign the ticket to the correct class of support personnel.

      Then the help desk folks can ALSO spend mo

  • Really? (Score:5, Insightful)

    by Picodon ( 4937267 ) on Thursday May 25, 2017 @05:06PM (#54487583)

    I don’t understand the math, here. The sourced “article” (it’s more of an advertorial, really) affirms:
    - salaries upwards of $100,000 a year
    - 80% say more than 1 hour per week, which could equate $88,000 per year.
    - 8% say more than 5 hours per week, which could equate $400,000 per year.
    - up to to 12.5% of investment squandered.

    At the risk of making a fool out of myself:
    - $100,000 per year is about $50 per hour, isn’t it?
    - 80% staff spending 1 hour per week (50 hours per year) would then cost an average of $2000 per employee per year, not $88,000.
    - 8% staff spending 5 hours per week (250 hours per year) would then cost an average of $1000 per employee per year, not $400,000.
    - 8% staff spending 5 hours per week (12.5% of the work week) and the remaining 72% spending 1 hour per week (2.5% of the work week) would represent an average of 2.8% of investment squandered, not 12.5%.

    Naturally, to measure the true loss, you’d also have to deduct the costs saved from not asking the regular IT staff to do the job, and also the gains obtained from the immediate increase in productivity resulting from the security staff’s intervention.

    Of course, the article is thinly disguised advertisement for some “automation solutions available that help them keep their day-to-day work”, so accuracy may not be paramount, compared to shock value

  • It's from beetrootnews. By vegetables, for vegetables, about vegetables.

  • Too often the people that fix things open up security holes. Most of the time IT departments 'training' consists of "This is how you google the solution to your problem." and "Call this Vendor for this problem."

    For anything more than that, the help desk is useless but the Security department knows how to fix the issue.

  • by s1d3track3D ( 1504503 ) on Thursday May 25, 2017 @05:16PM (#54487647)
    Isn't it "1% of IT staff fixes 83% of problems"
  • by davej ( 75609 ) on Thursday May 25, 2017 @05:23PM (#54487705) Homepage

    Security people need to be on top of multiple fields. You can't be in IT security without knowing a lot about all the layers in system.

    Specialist network techs look at a problem and push it to specialist server/desktop techs if it doesn't fit their view of a "network issue". The user gets bounced back and forth till they give up or figure it out themselves.

    Take the problem direct to a security specialist and 9 times out of 10, they will be able to point directly to the root of the problem because they don't have tunnel vision. Word of mouth spreads the idea that "Fred in security will know how to fix that", rinse and repeat and you spend half your day on support issues.

    It's human nature. And not necessarily a bad thing as as single call for help can lead to nipping a security issue in the bud..

    More general training (and higher pay!) for help desk staff is the only real answer but people are locked into the idea that help desk are "ticket generators" rather than troubleshooters.

  • That's okay, I spend 40% of my time working around app response and usage problems created by overly-aggressive McAfee settings put there by Security.

  • You're basically paying a 'security' professional who is really just an "IT person" in order to make sure you got the 'security' in your company and can check of a box on the PCI/HIPAA/SoX compliance worksheets.

    What else is the security guy supposed to do? You can't read/write CVE's all day long, you actually have to do system or network administration at some point.

    And what would happen if the guy was only relegated to the core job description? He'd be playing video games all day long anyway.

    • The danger of plenty of IT jobs - if you're competent and have time to do more than just 'put out fires' (i.e., apply quick and sloppy fixes instead of taking the time to fix the fundamental issues) - eventually you can eliminate most of your own job just by setting things up correctly.

      If you're lucky that means they recognize you're good at improving system efficiencies and move you on to something else. If you're not lucky, it means they're happy sitting in 'maintenance' mode, they shrink the team, and s

  • Security, by the very definition of the job, deals with stuff that isn't for public consumption. That in turn means that it usually takes a bit of work to get these people cleared to do what they're doing. It actually took nearly 2 months for me to just get all the necessary clearance checks done so I can sit in the office that I sit in now. Without them, no chance to get in there at all.

    Yes, that means I have to empty my own waste bin and run the vacuum cleaner myself every time it gets so dirty that even

  • by King_TJ ( 85913 ) on Thursday May 25, 2017 @08:02PM (#54488391) Journal

    My experience doing I.T. for several mid-sized companies over the last 20 years is, none of them had big enough budgets to justify hiring dedicated "security" people. It's simply the best "bang for the buck" to hire a core group of a few I.T. "support people" who take care of servers, trouble tickets from users, and do some of the planning and upgrade projects.

    When I've met "InfoSec" guys working for businesses similar to the ones I've worked for (perhaps a bit larger in size with larger budgets)? They typically come off as a bit arrogant. They like to spend a lot of time going around to other people in I.T., giving out their unsolicited advice on how something or other should be done, and do a lot of bending the ear of middle or upper management to get policies and procedures put in place to formalize their ideas.

    Are they intelligent people who actually do have a lot of knowledge about securing a network? Yes! But they often fail to really grasp that security is always going to be a trade-off. The more you secure the environment, the less worker-friendly it becomes. The I.T. "generalists" who have been supporting networks, servers, workstations, and all the peripherals and software swirling around them often have an awareness that many of these recommendations for "better security" aren't being implemented. The InfoSec types become a bit like annoying flies or gnats that keep buzzing around your head while you're trying to work. They work against your own goal of improving efficiency and worker productivity with their demands that "everyone change their passwords every 14 days, using no less than X number of characters with upper and lowercase, plus at least 1 special symbol", or that all the USB ports on the desktops be glued shut, or ??

    I'm sure that in many cases, these guys get paid handsomely to secure things, but once they've implemented all the ideas they can come up with -- they have a lot of time on their hands, just checking log files or doing the occasional audits of what's already supposed to be in place. It makes sense to utilize them to do more of the "day to day support" stuff, so you're not paying them to sit on their hands waiting for the next big malware outbreak or suspected hack to come along.

    • by swb ( 14022 )

      I think you're spot on.

      I think one reason the security people are getting dragged into ordinary problem solving is that ordinary support people are running into end-user problems that are *caused* by security configurations that support can't change.

      I think a lot of security people want to sit in the back room and implement a bunch of security changes without consideration of what breaks or how it effects end users. It may be the "right" thing to do, but they don't care about the side effects.

  • Why don't these people ask their co-workers to fix their cars for them? How about their busted TV?
  • As someone who taught corporate level security classes, who is now in corporate security offices going around helping other businesses and use to be a system admin security people are some of the worst technical people around excluding end users.
    The reason they are doing outside work is because under normal circumstances most of them are doing nothing. Most are so tech ignorant that they just watch their tools for alerts but don't have the skills needed to set them up for much more than what ships with th
  • and sometimes I end up wasting upwards of half my time not programming, and nobody seems to care!

    In fact, clients often specifically tell me to not to mention the problems I run into that prevent me from doing my job.

    I just can't believe these people are going to get their panties in a bunch over security professionals losing an hour a week here and there.
  • So the 100k security guy is spending 10% of his time doing something that the 100K admin is supposed to be doing. Sad!

Genius is ten percent inspiration and fifty percent capital gains.

Working...