Slashdot Mirror
Why Upper Management Doesn't "Get" IT Security
Schneier is reporting that the Department of Homeland Security has decided to delve into why upper management doesn't "get" IT security threats. The results aren't terribly surprising to those in the trenches, stating that most executives view security as something akin to facilities management. "Thankfully", the $495 report (if you aren't a "Conference Board associate") helps tell you how to handle the situation.
Anybody know how to get this report for free?
For that matter, does anybody know how all the fire codes, building codes, and such are offered? They too cost in the hundreds of dollars, but they are obtainable for free. What happens is that the books are referenced in court documents, and those are to be made publicly. In essence, for free.
I wonder if the same could be done for this...
Upper management would get it but they send the auditors to talk to middle management who doesn't get it. As such auditors decide that a company needs X because garbage in is garbage out.
Many of the upper management people I talk to know more about what we should be doing compared to what we are doing. The problem they have in overriding the auditors is the threat of the government and the shareholders. If they take the safe route the keep their jobs and stay out of jail. Actually the fear of the government is far worse that fearing the shareholders. (thanks to wonderful overreactions by Congress we get even more doing a whole lotta about nothing that ends up preventing us from doing what we should)
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Most upper mangament in my view came into the field in the 70-80s and as long as it donst bother them, they dont care, so why should they care about IT in the first place! they think every thing will be fine as the IT sysadmin will take care of it
From the part-of-your-job-to-explain-it-in-their-terms dept.
Lets try this. When you forget to lock your Lexus and it's not there when you are ready to go golfing, that sucks. Almost as much as when you go to use the server and some hackers are using it to joy ride the net and sell all your customer records while you are liable. But unlike the car, where you can buy a new one, it's a pain in the ass to buy a new company image.
Of course CEO's don't want to spend a lot of money and time on security. Unless the company makes security software or hardware, it IS an expense. Computer security should be handled with the same priority as physical security (keeping facilities secure) and basic infrastructure (power, water, telephone, etc.). Any CEO that spends an inordinate amount of time on computer security will, and should be fired. Just because you, as an IT person, spends all day reading about security threats, does not mean that upper management should do the same. A good top level manager understands priorities, and handles them accordingly. IT security should be handled as an absolute requirement to run the business (like power and water), but should be handled with the minimum possible expense, since it does not generate any income.
As a manager, you have to understand that EVERYBODY is screaming at you about their particular area. The marketing people need a bigger budget. The maintenance people are wanting to upgrade this and that. The transportation people need new trucks. That's their job. It's a top manager's job to look at each of these recommendations, and prioritize them in a way that will do the best for the company.
Seems to me like this blog entry is just another example of IT people being too myopic to get any real handle on how a business is run. In case anybody is scratching their heads as to why IT people rarely climb up the executive ranks to manage large companies, this example illustrates that reason very well. (Usually, in large companies, the people running the show are from marketing or finance. Occasionally operations. Never from IT.)
1) Explain the effects of a DOS attack by shutting off power to the beancounters' servers.
2) Simulate the effects of spyware by displaying the contents of the PHB's um...photo collection along with his browsing history.
3) Demonstrate the impact of weak passwords by logging in as the PHB and sending off a few colorful resignation letters to the CEO on his behalf.
4) Emphasize the importance of reliable nightly backups by indiscriminately doing rm -rf everywhere. (you ARE root, aren't you?)
5) Using the custodian's account, log in and download the entire customer database into your ipod, load it onto an independent laptop, and use the data to e-mail oodles of spam.
Or you can just tell them the risk factors in which case they'll just stand in front of the swiss cheese and sing of how all the holes are theoretical.
I think management think if you spend the money and take the time to release a secure product .. you get behind, have a more expensive product, and lose in the market. Since it's enormously (and often infeasible) to certify a product as 100% secure .. where do you stop spending the money on security? If they waited for IE or Firefox to be 100% secure before ever releasing it .. we'd use other browsers (which may actually end up being either less secure or not as good).
.. i wont mention any products or websites that have had issues. But the point is, for all it's ranting about wanting security and reliability, it appears to me the market just doesnt forgive those who would spend the time and money on these things.
People have shown a willingness to put up with insecure half ass reliable products
And yes, this must change.
Whoever keeps posting "Itsatrap" in the tags field needs to quit it. It's not even remotely funny and has no point. Grow up you childish gimp.
Why would they spend $500 on a report to help them get it?
"Thankfully", the $495 report (if you aren't a "Conference Board associate") helps tell you how to handle the situation.
Bruce isn't in the business for giving out his top notch observations for free.
Are any of us?
I'd say it's a pretty lame attack to point out the cost as a negative. Just admit that you're not interested in his opinion and move on.
IT security sucks for this very single reason: It takes effort.
The solution? Demand effort.
Tom
Someday, I'll have a real sig.
and it proves it, $495 to tell people that they dont know something....
hell id do it for $349.99
Slashdot Burying Stories About Slashdot Media Owned
The general problem with IT work is that if you do your job realy well, nothing happens. So you then have to deal with questions like "why did we spend all that money on y2k when nothing happened".
Its almost worth messing up from time to time just to show what would happen every day if you weren't there.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Upper management doesn't get IT because upper management doesn't get much of anything. They only see numbers, numbers they must play with until they add up to a plus mark.
Given all that we have been asked to give up in the name of security, the fact that this isn't free shows once again that Homeland Security is about money and power, not the well being of the citizens. Yes there is some private sector company involved, but if Homeland Security pays for it, then it should be a study done for the sake of, maybe National Security. And if that is the case then it should be distributed for free. More likely the case, that company is receiveing a return on a political favor (campain contributions)
We are all just people.
Don't try to talk ROI. You'll be talking to finance people who will see instantly that there's not enough data about quantitative risks to back up what you're saying.
Instead, calculate the cost of a breach. Then walk up the chain of command with the message "Like any risk, we can avoid it, mitigate it, transfer it to an insurance company, or accept it. If you do nothing you're accepting it. If you accept it then on the day a breach happens you will spend eleventy thousand dollars of company money. Do you have signing authority for eleventy thousand? If yes, here's the cost of a couple of mitigation options, and you're the boss. If no, you understand that I'm only going over your head because the decision has to be made at that level."
Can I download it on bittorrent yet?
We are all just people.
I don't see the problem here. Upper management is ultimately responsible for how the company fares, right? So if they decide that security is worth so-and-so much and they're going to mandate this-and-that policy, that's fine. If they make good choices, the company will do better than if they make bad choices. Since upper management is (at least, should be) accountable for how well the company fares, this will take care of security just like it takes care of everything else.
Please correct me if I got my facts wrong.
The article says "the cost of business interruption was the most helpful metric." That's great with a for-profit business that loses money when their computing systems are down and customers will go to another vendor. What about non-profits, government, education, etc? These types of operations don't have a strong monetary incentive to keep systems secure. If the tax collector's office computers are down because of the latest virus, it doesn't cost the government anything except time. They are still going to get your money.
Ouch! The truth hurts!
Haven't you heard of this?
Once I was a four stone apology. Now I am two separate gorillas.
http://www.mah.gov.on.ca/userfiles/HTML/nts_1_274
Twice that it..
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Surely that's what they pay us for?
I sysadmin in education, and it's clearly a complicated business, far too complicated for any one person to sweat all the details. So some of us sweat finance. And some of us sweat the procurement of funding for 16-19 year olds. Some of us know what 'pedagogical' means ( not me ).
Our senior management are pretty good at what they do, which is to trust their specialist to do our jobs, and challenge us to justify our calls for resources and excuses for problems.
The problem, I think, are twofold:
Us arrogant self-centred IT folk, who expect everyone else to care about how it all works, or just to accept without question what we assert. It's my job to explain to others, ** in terms they can comprehend **, what they need to know about my field.
Those arrogant, incompetent senior managers who won't trust their specialists to do what they're good at. It's their job, once we've explained in their terms, what the deal is, to make the call based on that, and trust us to sweat the details.
I agree with the other posters who advise couching security needs in financial/risk terms.
Why are you looking at me like that?
Since I can't read the report without forking over money: The writeup suggests that there's something wrong with the notion that IT security is akin to facilities management. It doesn't say HOW it is different, though.
As far as I can tell, IT security and building security are pretty much the same idea. You my squeak by without any; you probably want to pay a couple guys to provide some basic security service; there's a diminishing return at the upper end, where hiring more security guards doesn't really make your facilities any safer; no amount of security folks will ever give you absolute security, but it is sufficient to be more secure than the neighboring company so as to not be "low hanging fruit". Many of the folks in the field are dedicated professionals, many others are posers who have no clue what they're doing. They constantly send you requests for more money/people/power and tell you that you're doomed if you don't beef them up. You keep'em funded at some reasonable level and you resign yourself to the occasional breach. Because there's nothing you can do about it.
Seriously: where is the difference?
We're all born with nothing.
If you die in debt, you're ahead.
"Anybody know how to get this report for free?"
Pay for it with a stolen credit card. I'm sure there's ALWAYS a way to avoid paying people for their work.
"For that matter, does anybody know how all the fire codes, building codes, and such are offered?"
Created by private organizations and others base their work around them. Yeah, I know. I wish everything was free too. But until that utopia comes around people have to be paid.
Good facilities management includes good external security and good internal physical security, like door locks, security cameras, telecommunications management, etc. It many also include locks on individual desks.
If the analogy holds, then IT security includes all "locks" and "cameras" throughout your IT infrastructure.
I HOPE that the CIO takes IT security as seriously as a building superintendent and physical-plant-security team take physical security.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Finally the Deptartment of Homeland Security is looking into some really dangerous people: upper management!
Our tax dollars hard at work!
Proactiveness is generally not rewarded or understood by upper management. How can you look like a hero if you haven't fixed anything lately. Putting money forth to mitigate potential risks has no immediate payoff; monetarily or for image. Buy the product or resources after something bad happens, then you can fix it, then you're a hero.
IT stuff is voodoo to most upper management, and I'm convinced IT shops get away with things they never would if the upper management understood IT as well as they understand, say, supply. I was upper management in two government organizations heavily dependent on IT. As a fairly competent computer user who likes to keep up with current events, I fought with our IT folks endlessly -- at least the management.
The first problem is IT quickly forgets that -- like everybody else except the people actually doing the core functions of the organization -- they are a support organization, not a control organization. They latch on to their ability to throw out security and voodoo computer terms to persuade the upper management to let them set policies. Upper management doesn't understand the policies at all, and often has no choice but to side with the IT pros no matter what the actual users want or need. As often as not, they then set policies that are purely for their convenience (for instance, wanting to standardize on Windows and a strict set of programs even though they support 25 or 30 different sections, some of which have been doing things like digital photography, desktop publishing and design on Macs for years). From the users' perspectives, IT makes using the actual IT resources as painful as possible to make their lives as simple as possible, and the fact that they're hampering actual mission accomplishment doesn't bother them.
Next, they have a sweet deal going where they set a bunch of standards that require certain certifications or skills, so they hire people who perpetuate those standards, and only buy things that are compatible with those standards. This then requires getting on an endless treadmill of more training, more personnel, more software, more hardware, etc. And all the while they make it clear that it's lunacy to buy anything that doesn't have vendor support because if it actually breaks they can't be expected to get it going again using only the training, hardware, software and people that they have brow beat management into paying for using money that *every other part of the organization* was crying for and could have put to good use, too.
Lastly, on a day-to-day basis, far too many of them think that, because they're IT, it's their right to be arrogant, socially or organizationally inept, or just plain weird -- and sometimes it's a combination, so you get a organizationally inept weird guy being arrogant. How many of those does it take to ruin a shop's reputation? (IT certainly has no corner on that market, I'll grant you).
I could go on here, but I'm sure I've pissed off enough people already. I came from the internal communications side of things -- journalism and later PR. In my field management always thinks they can do your job better than you can because, hey, it's just writing and talking. Eventually, I got promoted into management and in dealing with IT I saw that their best defense is that almost nobody in a position of leadership (being mostly older guys, half of whom had never launched a program that wasn't sold by Microsoft) understood what they hell IT did or what it took to get it done. So all it took was a good talker or somebody who learned to cite vague security mandates from higher headquarters to get much more of what they wanted than anybody else did.
Of course, it also left IT open to being weaker when their leadership was weaker (or less smooth). But I didn't run into that. I ran into IT shops that got more of their resource requests approved than anybody else, but didn't really realize it and kept whining for more even though their support curiously never got better no matter how much you spent on them. And for every new capability you read about on Slashdot, they came up with two new security policies that made using it impossible.
Now I'm back in the trenches and don't get to go to the meetings where the IT guys try to talk the boss into banning the USB drives everybody has taken to using because the e-mail
I was asked by my boss (IT Manager) to put together a list of all the security projects I had talked to him about over the last year or so, for a meeting the next day. Should have put time into determining costs, resources, etc. but, hadn't done it before and didn't have time now.
We were to present these ideas, little over a dozen of them, to our VP on the business side of the company. Projects ranged from migrating systems to the DMZ to implementing Single Sign On.
All the projects were approved by the VP and could he please have them all by June, it was February...
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
...this would have been posted with an 'OBVIOUS' tag and everyone would be posting Owls.
Why do you care. Protect your ass and move on.
I hope you're not in control of any important systems where you work (if you have a job). With the spelling, grammar, and overall tone of your post, you just validated what was previously posted by a couple of /.ers thus far: IT people are too shortsighted to understand how a business is run.
Take, if you will, your very argument, and replace computers with power, HVAC, water, or trucks. Replace IT personell with maintenance, accountants, attorneys, factory workers, R&D, or what-have-you.
See the point? A business is a BUSINESS. Businesses never wholly depends on only one type of capital.
I agree and say take it further. Anyone doing research using any public money, and then gets a patent from said research, should have that patent be public property for the use of US citizens and US-only corporations (no transnationals there). Enough's enough the tax payer funding private business, then have to pay twice on top of it.
I work with cost estimates daily, and I am the "detail guy" to make sure "both labor and materials" are covered in cost estimates. I haven't seen the detailed breakdown, but let's suppose "you the taxpayer" paid the labor charge for the X guys working on this thing.
Then when you want a copy, they Print On Demand your copy, which is essentially a Materials charge. Just because you are paying two SETS of dollars doesn't mean you're getting double charged.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
"We're sorry, but those lovely GUI's that Apple popularized have been shut down. Everyone turn to their C: prompt now."
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
When you forget to lock your Lexus and it's not there when you are ready to go golfing, that sucks.
My only complaint about this analogy is that it blames hackers for the loss. I'd blame internal company employees, to make it both more realistic as well as highlight the complexities of IT security that make it different from facilities management.
Are you a shareholder? Do you know other shareholders who might "get it" on security? You have some rights there, even if as an employee you might have less.
disclaimer, always check with your barber and bartender for proper legal advice
disclaimer 2, I'd say check with your union, but like bosses with security, the vast bulk of slashdot IT guys working fulltime for some big transnational corp don't "get it" with unions or how they *could* work-notice I said "could"- if well run and vigorously maintained to keep teh mob out.
You have to understand that managers, especially middle managers, are by their very nature bureaucrats. In their world, a problem is analyzed, a solution is found, this solution is transformed into a policy, this policy is published and stands for the next millenium. And this policy is applied to every problem thereafter. What is completely alien to them is quick adaption to quickly changing needs.
And that's exactly what security is.
Security is also an expense that is much like an insurance. It's something you spend money on, and you hope that you spend it in vain because you never need it. It's not really a "selling point" for security, to spend money on something you don't want to have.
Unlike insured risks, computer security is not really tangible. A fire insurance sits well in the heads of a manager. Fire is a hazard. Fire strikes and you can't be productive for days/weeks/months. A trojan just siphons some of your bandwidth. Hardly any ever really "steal" company secrets. Why bother? Because you're a spamchucker? Who cares, after all you're not responsible (in many countries at least, not in all thankfully) what your computer does.
It's an expense that's hard to justify towards managers. So far, few companies outside of the IT field really suffer bad PR from being a trojan haven or a spam center. It can actually be cheaper to ignore security. First of all, the infected computer is going to be cleaned by your admin who's probably half idle anyway. Second, it's cheaper to buy a spare computer than to employ a complex security routine. And finally, it's a useful tool if you want to cut someone's salary, i.e. blame the lack of security on your employee.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Unless the booklet is gold and silver, It's hardly worth 500$
You want upper management, you need to run into their office and whack them in the junk every time they make a stupid decision about safety.
Even if it doesn't do any good, the image of the boss rolling around in the floor crying is good for morale.
How is that any different from getting a grant to write a book?
Sounds like a damn fine reason not to give people grants to write books then, unless they want to do so as U.S. Government employees, and allow the book to be a product of the United States Government (with their name on it, of course), and therefore in the Public Domain.
If public money is being used to fund the creation of something, the end product of that creation ought to be freely available to the public.
Do you think people would be quite so keen on funding the Smithsonian Institutions, if they charged admission fees? Probably not. I don't have any problem with the Smithsonian being publicly funded, in fact I think it's great; but making things halfway-publicly funded is just crappy, and generally gets the taxpayer less "bang for their buck" than if they just went all-in on half the number of projects, but funded them completely and 'owned' the results for the public, therefore making them free for anyone to enjoy.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
So if someone told you that T&M for printing of a 500-page (just guessing here) report was $495.00, you would tell them ... what?
... thank you. I take all my DHS reports bound in human flesh. Exxxxcellent."
a. "That's ridiculous; there's no way that printing that book cost $1 a page!"
b. "That's ridiculous! I'm calling the Fraud, Waste, and Abuse Hotline, and going to make sure your books get audited!"
c. "Ah, yes
There are no wrong answers.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Then there are the good IT departments that get ignored by management.
For instance: The company I work for (and the reason I'm posting anonymously) is currently running our main website on a Windows server. From talking to our hosts, it seems that crypto is something the Windows world just doesn't do. By that I mean, we want to install new web software? (PHP stuff -- you know, new version of Drupal, Wordpress, whatever.) We can either pay them $75/hour or so, or do it ourselves, over FTP. Plain-fucking-text FTP.
It's a small company, so it didn't work when I was the only one who said anything about it. Then I got someone else to say something about it, and now we're actually talking about possible solutions. It's still not a priority, which is kind of understandable. But when someone sniffs our FTP password -- hell, when they simply hijack our connection, casually, really -- they will have credit card numbers for all of our customers.
Well said about the USB drives, but that is why I actually explain IT issues to management. I make it as simple as I just made it for you. It means I won't be able to arbitrate inane stuff simply to get more power, like you're describing -- in fact, I'm one of two people who work on a Mac; everyone else is on Windows, and I run some Linux servers to test on. But it also means that I will be able to get us the level of security we really need, and that's got nothing to do with a lust for power -- it's no skin off my back as it is, I can even mount it with curlftpfs for easy syncing of my test server to the live Windows server.
Just realize: it goes both ways. Management should "get" IT, and keep them on a tight reign. But management should actually listen to IT. Unless I'm going to be fully autonomous, I'd much rather help my boss to "get" it, rather than simply figuring out the right concoction of buzzwords to stuff in his ear to get my way.
Gotta Love the magic of Value Billing.
... begins to siphon up resources.
When we copy stuff, we instinctively refuse to value our own time because it tends to be minimal. But if you have a government publication that's supposed to be available on demand (with large leeway for production times), orchestrating 1400 copies of the 500 page report
Let's say this tiny little govt dept. gets set up in a small building with a 5 person operation. At a certain number of copies, it will be full time work for that team, plus the cost of the building being rented. Those costs need to be divided back into the unit price of the Righteous Taxpayer's copy of the report. Even being stingy with salaries, that's $100,000 per year in salaries. The building would be lucky to be $2500 per month, or $30,000 per year.
These are the mistakes Web 1.0 made. It's not Pa's Basement anymore. It's not just a visit to Kinko's.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
"a. "That's ridiculous; there's no way that printing that book cost $1 a page!""
Of course it can cost a dollar a page. Especially when you don't have a large enough market to drive costs down.
"There are no wrong answers."
Only because slashdot stacks the answers in their favour.
and I am like this because every single day I have to deal with people who don't grasp the basic concepts of computers yet they get to make decisions about them. If people had to take a test like a drivers test to use computers, half of these gawd damn monkeys wouldn't pass, ever! IT management doesn't just get security, they don't get anything. When they want something done right they can pull their collective heads out of their collective asses and ask me. Dilbet said it best: "In order to make an informed decision, you would need to know as much as i know. That's impossible so instead by mutual, implied agreement, i will feed you some lies that point you to the right decision. If we don't upgrade our servers, a herd of trolls will attack headquarters."