Slashdot Mirror
Why Upper Management Doesn't "Get" IT Security
Schneier is reporting that the Department of Homeland Security has decided to delve into why upper management doesn't "get" IT security threats. The results aren't terribly surprising to those in the trenches, stating that most executives view security as something akin to facilities management. "Thankfully", the $495 report (if you aren't a "Conference Board associate") helps tell you how to handle the situation.
From the part-of-your-job-to-explain-it-in-their-terms dept.
Lets try this. When you forget to lock your Lexus and it's not there when you are ready to go golfing, that sucks. Almost as much as when you go to use the server and some hackers are using it to joy ride the net and sell all your customer records while you are liable. But unlike the car, where you can buy a new one, it's a pain in the ass to buy a new company image.
1) Explain the effects of a DOS attack by shutting off power to the beancounters' servers.
2) Simulate the effects of spyware by displaying the contents of the PHB's um...photo collection along with his browsing history.
3) Demonstrate the impact of weak passwords by logging in as the PHB and sending off a few colorful resignation letters to the CEO on his behalf.
4) Emphasize the importance of reliable nightly backups by indiscriminately doing rm -rf everywhere. (you ARE root, aren't you?)
5) Using the custodian's account, log in and download the entire customer database into your ipod, load it onto an independent laptop, and use the data to e-mail oodles of spam.
Or you can just tell them the risk factors in which case they'll just stand in front of the swiss cheese and sing of how all the holes are theoretical.
since it does not generate any income.
I really am a little tired of hearing how IT does note generate any income!
Do the trucks you deliver your goods with "generate an income?"
The 8 Accounting servers go down for 24 hours, 15 Accountants can not do there job.
20 years ago the company had 50 Accountants doing the job that 15 now do with the aid of computers. I would see this as reducing company overhead and every time you reduce company overhead you increase profits thus providing an "Income."
The 4 Authentication servers go down for 24 hours and 5,250 people can not do there jobs.
5,250 people down for 24 hours (1 Day) is a lot of money (Millions) IT is generating an income by enabling everyone to do there job!
Although IT does not directly generate an income for a company it does not mean that it is a loss. It does not mean that the company could live with out the services that IT provides.
It is like saying the CEO, President, VP, etc do not generate an Income for the company and are just a big hole you through money into.
As to the topic of security, my favorite line has been "We will not be implementing security on the accounting servers. We do not want to make an A+ on SOX, we want to make a D and just get by. An A+ would be too expensive."
Forget the $495, I'll tell you for free. You want a better chance at the funding, make the upward ladder understand the detrimental effect to the company and their profit if the the security is not in place. That means that you need to find the person in your group who can deliver the message in a nice brief way, using nice simple language that management understands, make sure you have urgency statements in the presentation, but don't be sensationalist, and the selling point is an assessment of the cost impact. The cost of developing security, verses loss of [fill in the blank]. And expect to get the funding in stages, in fact if you present a staged funding plan, it'll probably go down a lot better. Always remember, you don't hold the purse strings and those that do dislike being patronized or being made to look stupid (even though they may be).
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort.
IT stuff is voodoo to most upper management, and I'm convinced IT shops get away with things they never would if the upper management understood IT as well as they understand, say, supply. I was upper management in two government organizations heavily dependent on IT. As a fairly competent computer user who likes to keep up with current events, I fought with our IT folks endlessly -- at least the management.
The first problem is IT quickly forgets that -- like everybody else except the people actually doing the core functions of the organization -- they are a support organization, not a control organization. They latch on to their ability to throw out security and voodoo computer terms to persuade the upper management to let them set policies. Upper management doesn't understand the policies at all, and often has no choice but to side with the IT pros no matter what the actual users want or need. As often as not, they then set policies that are purely for their convenience (for instance, wanting to standardize on Windows and a strict set of programs even though they support 25 or 30 different sections, some of which have been doing things like digital photography, desktop publishing and design on Macs for years). From the users' perspectives, IT makes using the actual IT resources as painful as possible to make their lives as simple as possible, and the fact that they're hampering actual mission accomplishment doesn't bother them.
Next, they have a sweet deal going where they set a bunch of standards that require certain certifications or skills, so they hire people who perpetuate those standards, and only buy things that are compatible with those standards. This then requires getting on an endless treadmill of more training, more personnel, more software, more hardware, etc. And all the while they make it clear that it's lunacy to buy anything that doesn't have vendor support because if it actually breaks they can't be expected to get it going again using only the training, hardware, software and people that they have brow beat management into paying for using money that *every other part of the organization* was crying for and could have put to good use, too.
Lastly, on a day-to-day basis, far too many of them think that, because they're IT, it's their right to be arrogant, socially or organizationally inept, or just plain weird -- and sometimes it's a combination, so you get a organizationally inept weird guy being arrogant. How many of those does it take to ruin a shop's reputation? (IT certainly has no corner on that market, I'll grant you).
I could go on here, but I'm sure I've pissed off enough people already. I came from the internal communications side of things -- journalism and later PR. In my field management always thinks they can do your job better than you can because, hey, it's just writing and talking. Eventually, I got promoted into management and in dealing with IT I saw that their best defense is that almost nobody in a position of leadership (being mostly older guys, half of whom had never launched a program that wasn't sold by Microsoft) understood what they hell IT did or what it took to get it done. So all it took was a good talker or somebody who learned to cite vague security mandates from higher headquarters to get much more of what they wanted than anybody else did.
Of course, it also left IT open to being weaker when their leadership was weaker (or less smooth). But I didn't run into that. I ran into IT shops that got more of their resource requests approved than anybody else, but didn't really realize it and kept whining for more even though their support curiously never got better no matter how much you spent on them. And for every new capability you read about on Slashdot, they came up with two new security policies that made using it impossible.
Now I'm back in the trenches and don't get to go to the meetings where the IT guys try to talk the boss into banning the USB drives everybody has taken to using because the e-mail