Slashdot Mirror
Security's Shaky State
Ant writes "According to InformationWeek, Information Technology (I.T.) security professionals say when it comes to security, most I.T. departments are underfunded, understaffed, and underrepresented.
Resourceful I.T. security professionals are getting the job done, but their efforts have been hampered by undersized staffs and underfunded budgets that limit choices ranging from what products they buy to the vendors they work with."
A major part of the problem is that CFO types don't like spending money on things they don't see a need for. By the time they see a need for security, it's past the point at which throwing money at the problem will fix things.
Likewise, the security side of an I.T. department is the sort of job that is hard to justify to people who assume that if they don't notice results, the job isn't really doing much.
Ah the glory of an invisible job.
-JMP
Bitch bitch bitch. You'd think IT was a profit center.
The IT Security department does more preventative solutions then anything else... so basically, if you don't hear booh about them, it's a good thing. Essentially, the better the job they do, the less the management of a company realizes they are important. "Oh, well we haven't gotten hacked in 3 years... we can afford to cut our security department budget this quarter".
LINUX ONLINE POKER: Linux Poker
Sarbanes-Oxley act is the new security-minded sysadmin's best friend.
Managers and Execs start taking IT security a hell of a lot more seriously when they realize they can go to jail if they're implicated in fraud.
To comply with SOX, you have to document all your procedures, all your data flow, and make it available to gov't regulators. You also have to document what holes you're aware of in your systems and how you plug them.
Whistleblowing is quick, easy, anonymous, and DEVESTATING.
SOX ROX.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
It's unfortunate that unions have gotten such a bad rap, especially among engineers in the computer-related fields. For all the Randian talk of rugged individualism, most people really are just sycophants and sheep. That's not bashing, it's just the way it is. For every engineer demanding better pay and working conditions, there are one thousand who are just happy to collect a paycheck every two weeks. If the industry was made up of solely the former type of engineer, there really wouldn't be any need for unions, each person acting in his own self-interest would be a union unto himself.
However, when you look around and see people working 40+ hours a week, working on the weekends, working through the night, showering at work because they don't have time to go home, and being pushed through project cycles that are causing undo stress, something is wrong. The balance of power is not maintained and the employers are exploiting the engineers. That "great" paycheck you're raking in every two weeks suddenly comes out to barely double minimum wage when you break it down hourly. The cost to your family is also incredibly high as they don't have you around. It's a terrible situation.
So what's the solution? Well, the favored solution among the computer cognoscenti is to "go find yourself a new line of work". Why should someone who is good at their job be forced to take a different job just because the industry is unwilling to offer a fair wage as well as reasonable working conditions? It should not be a requirement that anyone who wants to work in the computer industry should also be forced to give up their personal lives. Unionizing is one very good way of forcing employers to bend to the needs of the employed.
It's unfortunate that so many people are against the idea. We ought to be working to live, not living to work.
Jesus saved me from my past. He can save you as well.
There's not much you can really do about it. You can buy all the "security" in the world and the next M$ worm will still take out your servers and your desktops. The only thing more staff does is make the recovery faster, but the limit is how fast Microsoft themselves fix the real problem. Beyond that, you block ports and services until things go away, which is not much better than broken.
At big companies, the problem is NOT a lack of resources, it's resources poorly spent. The quoted ratio is 1:5, one Unix admin can do the work of five Windoze admins.
Friends don't help friends install M$ junk.
Security is underfunded because the whole point of business is to underfund everything you possibly can to make a buck.
Religion is a gateway psychosis. -- Dave Foley
My biggest beef is not the lack of staff or budget but the lack of discipline. Nowadays it seems that everyone *needs* a computer at their desk, and they seem to have no problem misusing company resources. I don't mean things like checking email while on the clock, but rather installing their favorite IM program, or perhaps a fancy calendar doodad or toolbar (laced with an unhealthy dose of spyware, of course). Let us not forget those "important people" higher up the chain that would have your hide if you even mentioned that perhaps they shouldn't be using Kazaa on a company machine or opening every email attachment under the sun.
There was a day where staff were wary of computers, and treated them with respect. Those days have long past... all they're wary of is that weird IT guy who tries to tell them what to do with their machine.
I'm just curious...
It talks a lot about how staffing hasn't gone up. But an admin worth his salt will make his job easier over time. Creating scripts, getting the hang of how to fix problem x the fastest. Getting used to patching/upgrading. I guess the real problems occur when large scale changes take place. Everyone migrates to another platform, or building X Y and Z now connect remotely. But as far as the usual day to day issues, if you're caught up I don't see what the big hassle is... the more you automate for yourself the easier it becomes.
It would be nice if these large transitions were better planned. Such that in large corporations more of the IT would shift to where the major upheaval is occuring (I'm guessing that there usually isn't enough IT to throw at the problems). I'm also guessing that often times the magnitude of these transistions are underestimated in terms of time needed, and people. But once again, I still don't see the 'normal' day to day conditions being a major problem for someone who has settled in. Of course I could be completely off base and will raise holy hell with a whole bunch of sys admins / varied IT peoples who will declare some sort of technical jihad, and come busting down my door in 5 minutes telling me how really wrong I am.
First of all, I agree that security is a typically under-appreciated job. However, I've also seen what happens with security has the power to implement whatever tools/measures they want. That situation is probably worse than the lack of security at most places...not only can your security team get in the way of the business with insane risk avoidance policies (making the business less efficient), but it can be directly expensive in the price of staff and tools.
Security people need to understand that not every risk has to be avoided. Many risks are an acceptable trade off to allow the business to be efficient. Honestly, I want my security team to be a little paranoid...but I want their manager to have a good understanding of the impact security policies can have on the people who do the things that bring money into the company.
Kind thoughts do not change the world
Wow! Where do I begin to comment on that? Your first assertion, that companies will calculate the cost of failure versus the cost of prevention, is completely true; that is why and how insurance works. Alternatively, that is why punitive damages tend to be so high in the most egregious court cases; the court is trying to tilt the equation in favor of humanity -- hot cups of coffee not withstanding.
.com boom. That figure has probably only gotten worse. Keep in mind, only than 15 years ago, 'the web' didn't exist. Now, my office virtually halts when e-mail stops or a fileserver crashes. Imagine your day if suddenly all of the computers became unusable. How does your office fair?
.com boom has allowed companies to turn system administration and helpdesk support into commodity jobs and consequently also low-skill jobs. Unfortunately, these types often have never been taught proper security practices. This class of worker learns only from experience. It's like expecting the construction workers to calculate the structural soundness of a skyscraper.
That being said, the value of data has increased exponentially in the past 5 to 10 years and companies have not fully accounted for that rapid shift. I saw a study a few years ago that said at least half (but I seem to recall that it was more like 90%) of all business will go out-of-business within 1 year of a major data loss. That was before the
As for IT techs being underpaid, that has very little to do with the value of the work you are doing. It has much more to do with the number of you that are doing the work. It is a classic economic supply and demand problem: an abundance of paper technicians (MCSE, A+, etc), 18-year-old 'ub3r g33ks' and other money-driven late-comers to the
But what scares me more than a lack of real investment in security within the private sector, is the lack of investment in security by the public sector. I used to work in 'cyber security' for a major governmental research organization. The department has quite a reputation for the quality of its security infrastructure research, but the department is still only 10 regular employees and about 30 summer interns. And the department's budget was provided by and was a significant portion of the cyber security expenditures for a few of the major US departments. A major cyber security gaff at a blue chip would strain the US economy, but a major cyber security attack on public utilities could cripple North America (Canada, I'm looking in your direction too...).
I'm off my soap box now. Thank you for your attention. You may now resume your hacking activities.
That someone just had your credit card number whispered in their ear.
First -- people don't value something until they think they need it; and that won't happen until they get burned.
Second -- it's excruiating to separate the wheat from the chaff; there would appear to be a glut of IT security "professionals" out there if their resumes were to be believed, but in practice there are only a few gems to be found in that buzzword-compliant heap.
I'm a computational biologist by profession, but on occasion have had to deal with various projects that involved some sort of security (be it in establishing secure external collaborations, or securing proprietary data in various analytical pipelines). I've seen IT security heads come and go and I've yet to meet one that I felt knew more than me -- and they should know MUCH more than me!
I've met several true IT security professionals -- people that reeked of healthy paranoia and a truly fundamental knowledge of how things worked and interoperated. But, I've yet to see one in the wild looking for a job, much less hired by any company I've worked for.
I think you're simply seeing blissful ignorance exacerbated by a confusing pool of self-proclaimed security professionals and a dearth of truly competent personnel. It's hard work, and the value of it simply isn't clear until it's too late.