Slashdot Mirror
Security's Shaky State
Ant writes "According to InformationWeek, Information Technology (I.T.) security professionals say when it comes to security, most I.T. departments are underfunded, understaffed, and underrepresented.
Resourceful I.T. security professionals are getting the job done, but their efforts have been hampered by undersized staffs and underfunded budgets that limit choices ranging from what products they buy to the vendors they work with."
A major part of the problem is that CFO types don't like spending money on things they don't see a need for. By the time they see a need for security, it's past the point at which throwing money at the problem will fix things.
Likewise, the security side of an I.T. department is the sort of job that is hard to justify to people who assume that if they don't notice results, the job isn't really doing much.
Ah the glory of an invisible job.
-JMP
The IT Security department does more preventative solutions then anything else... so basically, if you don't hear booh about them, it's a good thing. Essentially, the better the job they do, the less the management of a company realizes they are important. "Oh, well we haven't gotten hacked in 3 years... we can afford to cut our security department budget this quarter".
LINUX ONLINE POKER: Linux Poker
Security doesn't tend to have a pretty interface that managers can see; managers love eye candy. It's a bit similar to the case where you will develop the interface before the backend. If you spend 6 months working hard on a backend, a client/manager will think you haven't been doing much. If on the other hand you have a nice colourful interface to show them after 6 months regardless of functionality, they will love you.
Sarbanes-Oxley act is the new security-minded sysadmin's best friend.
Managers and Execs start taking IT security a hell of a lot more seriously when they realize they can go to jail if they're implicated in fraud.
To comply with SOX, you have to document all your procedures, all your data flow, and make it available to gov't regulators. You also have to document what holes you're aware of in your systems and how you plug them.
Whistleblowing is quick, easy, anonymous, and DEVESTATING.
SOX ROX.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
It's unfortunate that unions have gotten such a bad rap, especially among engineers in the computer-related fields. For all the Randian talk of rugged individualism, most people really are just sycophants and sheep. That's not bashing, it's just the way it is. For every engineer demanding better pay and working conditions, there are one thousand who are just happy to collect a paycheck every two weeks. If the industry was made up of solely the former type of engineer, there really wouldn't be any need for unions, each person acting in his own self-interest would be a union unto himself.
However, when you look around and see people working 40+ hours a week, working on the weekends, working through the night, showering at work because they don't have time to go home, and being pushed through project cycles that are causing undo stress, something is wrong. The balance of power is not maintained and the employers are exploiting the engineers. That "great" paycheck you're raking in every two weeks suddenly comes out to barely double minimum wage when you break it down hourly. The cost to your family is also incredibly high as they don't have you around. It's a terrible situation.
So what's the solution? Well, the favored solution among the computer cognoscenti is to "go find yourself a new line of work". Why should someone who is good at their job be forced to take a different job just because the industry is unwilling to offer a fair wage as well as reasonable working conditions? It should not be a requirement that anyone who wants to work in the computer industry should also be forced to give up their personal lives. Unionizing is one very good way of forcing employers to bend to the needs of the employed.
It's unfortunate that so many people are against the idea. We ought to be working to live, not living to work.
Jesus saved me from my past. He can save you as well.
There's not much you can really do about it. You can buy all the "security" in the world and the next M$ worm will still take out your servers and your desktops. The only thing more staff does is make the recovery faster, but the limit is how fast Microsoft themselves fix the real problem. Beyond that, you block ports and services until things go away, which is not much better than broken.
At big companies, the problem is NOT a lack of resources, it's resources poorly spent. The quoted ratio is 1:5, one Unix admin can do the work of five Windoze admins.
Friends don't help friends install M$ junk.
Security is underfunded because the whole point of business is to underfund everything you possibly can to make a buck.
Religion is a gateway psychosis. -- Dave Foley
My biggest beef is not the lack of staff or budget but the lack of discipline. Nowadays it seems that everyone *needs* a computer at their desk, and they seem to have no problem misusing company resources. I don't mean things like checking email while on the clock, but rather installing their favorite IM program, or perhaps a fancy calendar doodad or toolbar (laced with an unhealthy dose of spyware, of course). Let us not forget those "important people" higher up the chain that would have your hide if you even mentioned that perhaps they shouldn't be using Kazaa on a company machine or opening every email attachment under the sun.
There was a day where staff were wary of computers, and treated them with respect. Those days have long past... all they're wary of is that weird IT guy who tries to tell them what to do with their machine.
First of all, I agree that security is a typically under-appreciated job. However, I've also seen what happens with security has the power to implement whatever tools/measures they want. That situation is probably worse than the lack of security at most places...not only can your security team get in the way of the business with insane risk avoidance policies (making the business less efficient), but it can be directly expensive in the price of staff and tools.
Security people need to understand that not every risk has to be avoided. Many risks are an acceptable trade off to allow the business to be efficient. Honestly, I want my security team to be a little paranoid...but I want their manager to have a good understanding of the impact security policies can have on the people who do the things that bring money into the company.
Kind thoughts do not change the world
... the Engineers and engineers; we doers, designers and other coal face bunnies have to eat some of the blame for under-funding and under-recognition.
If we could accurately quantify the benefits of what we want to do; and there MUST be a simple investment/payback model that any managoid can understand for anything you want to do. We are smarter than them, yet more often than not we bitch about how dumb the senior management is rather than use our smarts to convince them.
Trust me; do your research, present in simple terms the cost of the investment in (insert program here) vs. the cost of not doing it. Remember to quantify the risks in FINANCIAL terms. Lost productive hours; Loss of commercial advantage.
Take an active role in developing Key Performance Indicators for the organisation if it has such programs.
At the end of the day, baby boomers are, by and large, idiots as well as our bosses; they dont get the modern world. We have to present it to them in simple cost accounting terms. The more successful we are at communicating in these terms, the bigger our budgets will be.
Remember, businesses dont/shouldnt SPEND money... they should INVEST it; this is the way to convince and influence PHBs and managoids.
Anyway, just my $0.02AUD
err!
jak.
I work as a software engineer for a very large company in the US. After 5 years with limited security and no virus scanning of email, the company network was beat down internally by every virus known to man. The "solution" was a very unfocused initiative. IT did stupid things like block every attachment via email (driving us nuts) while not making antivirus software mandatory. People would just plug a laptop in the network and spread everything they had on it. The IT department should have focused on handling the virus instead on trying to avoid them all together. They will get on the network anyways. Another "smart" thing they did was block access to Windows Update to make installing patches difficult. They had the staff, but not the knowledge and plan. That's more important in my opinion.
gasmonso http://religiousfreaks.com/Wow! Where do I begin to comment on that? Your first assertion, that companies will calculate the cost of failure versus the cost of prevention, is completely true; that is why and how insurance works. Alternatively, that is why punitive damages tend to be so high in the most egregious court cases; the court is trying to tilt the equation in favor of humanity -- hot cups of coffee not withstanding.
.com boom. That figure has probably only gotten worse. Keep in mind, only than 15 years ago, 'the web' didn't exist. Now, my office virtually halts when e-mail stops or a fileserver crashes. Imagine your day if suddenly all of the computers became unusable. How does your office fair?
.com boom has allowed companies to turn system administration and helpdesk support into commodity jobs and consequently also low-skill jobs. Unfortunately, these types often have never been taught proper security practices. This class of worker learns only from experience. It's like expecting the construction workers to calculate the structural soundness of a skyscraper.
That being said, the value of data has increased exponentially in the past 5 to 10 years and companies have not fully accounted for that rapid shift. I saw a study a few years ago that said at least half (but I seem to recall that it was more like 90%) of all business will go out-of-business within 1 year of a major data loss. That was before the
As for IT techs being underpaid, that has very little to do with the value of the work you are doing. It has much more to do with the number of you that are doing the work. It is a classic economic supply and demand problem: an abundance of paper technicians (MCSE, A+, etc), 18-year-old 'ub3r g33ks' and other money-driven late-comers to the
But what scares me more than a lack of real investment in security within the private sector, is the lack of investment in security by the public sector. I used to work in 'cyber security' for a major governmental research organization. The department has quite a reputation for the quality of its security infrastructure research, but the department is still only 10 regular employees and about 30 summer interns. And the department's budget was provided by and was a significant portion of the cyber security expenditures for a few of the major US departments. A major cyber security gaff at a blue chip would strain the US economy, but a major cyber security attack on public utilities could cripple North America (Canada, I'm looking in your direction too...).
I'm off my soap box now. Thank you for your attention. You may now resume your hacking activities.
What is the Holy Grail of security?
Whispering the information in someone's ear in the middle of an empty field. I'd like to see someone steal my credit card number then.
That someone just had your credit card number whispered in their ear.
underfunded budgets that limit choices ranging from what products they buy to the vendors they work with.
The other side of this, is that even when companies do have the budgets for these fancy-schmancy products from uber-repected vendors, it's often the users, and their lack of awareness or education about their role in security that's the weak link.
"Ein Volk, ein Reich, ein Führer." -Adolf Hitler
"We are one Nation, we are one People." -The One 'leader'
I've seen this time and time again - maybe I'm just getting too cynical for my own good ;-).
As far as I can tell, in quite a few companies IT Security staff are only employed as a gesture towards corporate risk management. In other words, as long as the gesture exists there is an apparent legitimate claim that effort was put in to mitigate a risk.
When (not if) the inevitable happens, it doesn't take a rocket scientist to work out whose head will roll. For those who haven't reached their operational caffeine level yet: it's not going to be an executive.
Having said that, I'm glad to come across more and more evidence that quite a few companies at least *DO* get it so maybe there is hope.
Insert
I recall talking with a very experienced, capable security expert who had founded a company (and was CEO). The remark that sticks in my mind was along the lines of, "No one can make much money in this business, because customer executives never buy the security their company needs - they buy the very minimum to avoid being successfully sued for negligence if the shit hits the fan".
I am sure that there are many other solipsists out there.
SOX only applies to publicly held companies. Private companies are not bound by SOX.
First -- people don't value something until they think they need it; and that won't happen until they get burned.
Second -- it's excruiating to separate the wheat from the chaff; there would appear to be a glut of IT security "professionals" out there if their resumes were to be believed, but in practice there are only a few gems to be found in that buzzword-compliant heap.
I'm a computational biologist by profession, but on occasion have had to deal with various projects that involved some sort of security (be it in establishing secure external collaborations, or securing proprietary data in various analytical pipelines). I've seen IT security heads come and go and I've yet to meet one that I felt knew more than me -- and they should know MUCH more than me!
I've met several true IT security professionals -- people that reeked of healthy paranoia and a truly fundamental knowledge of how things worked and interoperated. But, I've yet to see one in the wild looking for a job, much less hired by any company I've worked for.
I think you're simply seeing blissful ignorance exacerbated by a confusing pool of self-proclaimed security professionals and a dearth of truly competent personnel. It's hard work, and the value of it simply isn't clear until it's too late.