Slashdot Mirror
Security's Shaky State
Ant writes "According to InformationWeek, Information Technology (I.T.) security professionals say when it comes to security, most I.T. departments are underfunded, understaffed, and underrepresented.
Resourceful I.T. security professionals are getting the job done, but their efforts have been hampered by undersized staffs and underfunded budgets that limit choices ranging from what products they buy to the vendors they work with."
A major part of the problem is that CFO types don't like spending money on things they don't see a need for. By the time they see a need for security, it's past the point at which throwing money at the problem will fix things.
Likewise, the security side of an I.T. department is the sort of job that is hard to justify to people who assume that if they don't notice results, the job isn't really doing much.
Ah the glory of an invisible job.
-JMP
The IT Security department does more preventative solutions then anything else... so basically, if you don't hear booh about them, it's a good thing. Essentially, the better the job they do, the less the management of a company realizes they are important. "Oh, well we haven't gotten hacked in 3 years... we can afford to cut our security department budget this quarter".
LINUX ONLINE POKER: Linux Poker
Sarbanes-Oxley act is the new security-minded sysadmin's best friend.
Managers and Execs start taking IT security a hell of a lot more seriously when they realize they can go to jail if they're implicated in fraud.
To comply with SOX, you have to document all your procedures, all your data flow, and make it available to gov't regulators. You also have to document what holes you're aware of in your systems and how you plug them.
Whistleblowing is quick, easy, anonymous, and DEVESTATING.
SOX ROX.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
It's unfortunate that unions have gotten such a bad rap, especially among engineers in the computer-related fields. For all the Randian talk of rugged individualism, most people really are just sycophants and sheep. That's not bashing, it's just the way it is. For every engineer demanding better pay and working conditions, there are one thousand who are just happy to collect a paycheck every two weeks. If the industry was made up of solely the former type of engineer, there really wouldn't be any need for unions, each person acting in his own self-interest would be a union unto himself.
However, when you look around and see people working 40+ hours a week, working on the weekends, working through the night, showering at work because they don't have time to go home, and being pushed through project cycles that are causing undo stress, something is wrong. The balance of power is not maintained and the employers are exploiting the engineers. That "great" paycheck you're raking in every two weeks suddenly comes out to barely double minimum wage when you break it down hourly. The cost to your family is also incredibly high as they don't have you around. It's a terrible situation.
So what's the solution? Well, the favored solution among the computer cognoscenti is to "go find yourself a new line of work". Why should someone who is good at their job be forced to take a different job just because the industry is unwilling to offer a fair wage as well as reasonable working conditions? It should not be a requirement that anyone who wants to work in the computer industry should also be forced to give up their personal lives. Unionizing is one very good way of forcing employers to bend to the needs of the employed.
It's unfortunate that so many people are against the idea. We ought to be working to live, not living to work.
Jesus saved me from my past. He can save you as well.
My biggest beef is not the lack of staff or budget but the lack of discipline. Nowadays it seems that everyone *needs* a computer at their desk, and they seem to have no problem misusing company resources. I don't mean things like checking email while on the clock, but rather installing their favorite IM program, or perhaps a fancy calendar doodad or toolbar (laced with an unhealthy dose of spyware, of course). Let us not forget those "important people" higher up the chain that would have your hide if you even mentioned that perhaps they shouldn't be using Kazaa on a company machine or opening every email attachment under the sun.
There was a day where staff were wary of computers, and treated them with respect. Those days have long past... all they're wary of is that weird IT guy who tries to tell them what to do with their machine.
First of all, I agree that security is a typically under-appreciated job. However, I've also seen what happens with security has the power to implement whatever tools/measures they want. That situation is probably worse than the lack of security at most places...not only can your security team get in the way of the business with insane risk avoidance policies (making the business less efficient), but it can be directly expensive in the price of staff and tools.
Security people need to understand that not every risk has to be avoided. Many risks are an acceptable trade off to allow the business to be efficient. Honestly, I want my security team to be a little paranoid...but I want their manager to have a good understanding of the impact security policies can have on the people who do the things that bring money into the company.
Kind thoughts do not change the world
... the Engineers and engineers; we doers, designers and other coal face bunnies have to eat some of the blame for under-funding and under-recognition.
If we could accurately quantify the benefits of what we want to do; and there MUST be a simple investment/payback model that any managoid can understand for anything you want to do. We are smarter than them, yet more often than not we bitch about how dumb the senior management is rather than use our smarts to convince them.
Trust me; do your research, present in simple terms the cost of the investment in (insert program here) vs. the cost of not doing it. Remember to quantify the risks in FINANCIAL terms. Lost productive hours; Loss of commercial advantage.
Take an active role in developing Key Performance Indicators for the organisation if it has such programs.
At the end of the day, baby boomers are, by and large, idiots as well as our bosses; they dont get the modern world. We have to present it to them in simple cost accounting terms. The more successful we are at communicating in these terms, the bigger our budgets will be.
Remember, businesses dont/shouldnt SPEND money... they should INVEST it; this is the way to convince and influence PHBs and managoids.
Anyway, just my $0.02AUD
err!
jak.
Wow! Where do I begin to comment on that? Your first assertion, that companies will calculate the cost of failure versus the cost of prevention, is completely true; that is why and how insurance works. Alternatively, that is why punitive damages tend to be so high in the most egregious court cases; the court is trying to tilt the equation in favor of humanity -- hot cups of coffee not withstanding.
.com boom. That figure has probably only gotten worse. Keep in mind, only than 15 years ago, 'the web' didn't exist. Now, my office virtually halts when e-mail stops or a fileserver crashes. Imagine your day if suddenly all of the computers became unusable. How does your office fair?
.com boom has allowed companies to turn system administration and helpdesk support into commodity jobs and consequently also low-skill jobs. Unfortunately, these types often have never been taught proper security practices. This class of worker learns only from experience. It's like expecting the construction workers to calculate the structural soundness of a skyscraper.
That being said, the value of data has increased exponentially in the past 5 to 10 years and companies have not fully accounted for that rapid shift. I saw a study a few years ago that said at least half (but I seem to recall that it was more like 90%) of all business will go out-of-business within 1 year of a major data loss. That was before the
As for IT techs being underpaid, that has very little to do with the value of the work you are doing. It has much more to do with the number of you that are doing the work. It is a classic economic supply and demand problem: an abundance of paper technicians (MCSE, A+, etc), 18-year-old 'ub3r g33ks' and other money-driven late-comers to the
But what scares me more than a lack of real investment in security within the private sector, is the lack of investment in security by the public sector. I used to work in 'cyber security' for a major governmental research organization. The department has quite a reputation for the quality of its security infrastructure research, but the department is still only 10 regular employees and about 30 summer interns. And the department's budget was provided by and was a significant portion of the cyber security expenditures for a few of the major US departments. A major cyber security gaff at a blue chip would strain the US economy, but a major cyber security attack on public utilities could cripple North America (Canada, I'm looking in your direction too...).
I'm off my soap box now. Thank you for your attention. You may now resume your hacking activities.