Slashdot Mirror
Survey: Most IT Staff Don't Communicate Security Risks
CowboyRobot writes "A Tripwire survey of 1,320 IT personnel from the U.S. and U.K. showed that most staff 'don't communicate security risk with senior executives or only communicate when a serious security risk is revealed.' The reason is that staff have resigned themselves to staying mum due to an environment in which 'collaboration between security risk management and business is poor, nonexistent or adversarial,' or at best, just isn't effective at getting risk concerns up to senior management."
IT would love to, but upper management doesn't want to hear it.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
It is so risky even to comment on this that nobody is risking it
"However, it's clear from this report that most organizations are missing the majority of opportunities to integrate security risks into day-to-day business decisions. Changing this paradigm will require security professionals to develop new communication skills so they can talk about security risks in terms that are clearly relevant to the top-level business goals."
Is it possible to cram any more buzzwords into that paragraph?
Anything which causes extra cost isn't worth listening about, who cares if you get hacked? you just fire the IT staff and restart..
I'm sure Congress will ignore Syria and ever-mounting spending problems and jump right on this pressing issue!
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
My profession isn't sys-admin, but I take care of that at my office. (SO, 6-8 people)
Both my boss and colleagues use super weak password (tom101) in spite of me asking them to be serious.
I warned the system was insecure, but was never given a moment to work on it.
At some point I just had to wash my hands of it, I'm not even paid to be responsible for it.
There is a limit of how many times you will tell people the sam thing, especially when they don't care or get annoyed because it requires an effort from them.
It seems management don't want to spend ressources on a problem they don't (want to) understand, preferring closing their eyes.
I for one spend a sizeable chunk of time trying to explain escalation attacks and SSL issues to my boss, in the hopes that at some point he conveys pertanent information to the upper echelon and secures the funding i need to make things better.
sometimes these are extremely technical problems, so you shouldnt expect me to ensure you understand every minutae before you tell the boss. Sonetimes the problems are caused by us, and thats okay, but hiding them from upper management to ensure your team looks good is so counterproductive it hurts. other times the problems are with existing services that if addressed would cause blocking issues for major corporate goals for the year. not telling the bigwigs about this is sabotage at best. Finally, sometimes upper management just doesnt give a shit. problems like database encryption would slow down the final goal of getting the new cloud widget going, so despite our firm 'fix it now' policy the guys with all the power basically ignore their own mandate and say 'fix it later.' six months later when our widgets get hacked, we get reamed for not fixing the DB issue when we instead had to allocate too much time developing more new features for cloud widget. At this point we just get more myopic, often times ignoring cloud widget entirely in pursuit of fixing ancientDB.
Good people go to bed earlier.
Security isn't something that anyone wants to spend time and money on in business.
The bottom line is, if you put a fancy security system in your house and no one ever though about breaking in to begin with, you've wasted time and money.
I send out security risk info to our employees every so often, but not all the time.
Send them out too often, and you risk being ignored. Send them out infrequently, and people say they weren't warned. Once a month seems to do the trick where I work. Management actually encourages this since it keeps people aware without becoming annoying.
And get fired for not fixing it, because the jackholes didn't give us the budget to fix it. Guess what jerky, we're just simply not going to tell you if you won't give us the means to fix it anyways.
"Don't worry about it, it's not that serious."
Well, you are wrong, your head is up your ass, and this kind of stuff is why guys like you hire guys like me, even if you don't know that. So, let the IT dept. do it's job, dammit!
This combination doesn`t exist: ETIs that know about humanity and want to see us dead. Otherwise we wouldn't exist.
...when business is *ALWAYS" right when it comes to decisions...?
Yes, I did stop communicating security risks eventually. I'd say I stopped after the 10 or 20 thousandth 'So what?' from management.
Security = Liability. There is no other way to look at this from the bean-counter point of view. This is why all organizations need CIO, someone who is capable of translating "if we don't do X, we going to get pwned" into "if we don't spend X$ and Y man-hours, we are exposing our business to $Z,000,000 -sized liability".
This problem boils down to techies and suits not speaking the same language. So someone has to translate.
here.
Have gnu, will travel.
If you discuss security issues with your upper management, then they think THEY have to do something about it - and ususally it is not the thing and far worse than what you were hoping for.
So the best route is to say 'don't worry, we got it covered' and get what you can done without having to get them involved.
Is....is super lie...
There are many issues that IT attempts to communicate to Senior Management, but, for a variety of reasons, go unhandled. We've tried communicating before...and people said "Shutup, you're talking too technical, you need to speak business," then it became "Shutup, every week there is some sort of thing that needs attending to..."; so, after a while, those reports start getting filed in the garbage can immediately after they are printed, since that's where they end up anyways.
It's only later on, when something has gone terribly wrong (imagine a large kingdom having been run into ruin by the last dozen or so kings...), when there are so many things going wrong all at once that duct tape and shoelaces can't fix things, that Senior Management may wake from its slumber, and ask "What the hell is going on in this company? Why is it taking forever to get new projects done, and old projects are requiring constant intervention just to keep afloat? Why are we leasing buildings that we used to own? How badly mismanaged have things been that the former masters of the household are now its servants?" And that's when Senior Management begins knocking on Accounting, Legal, and IT's doors...if they are still around...and asking, "You are the sensory organs of this company...you deal with the day to day running of operations...why are we bankrupt? Did we lose a major lawsuit? What happened? Accounting, why are we in the red? IT, you handle information on a daily basis...what have you heard?" And for companies that have outsourced all of their IT, Accounting, and Legal operations...well, just getting a hold of someone, who is very unhappy with your delinquent bills, can be trying.
So, what you're seeing now is Senior Management having woken up from a long hiatus, and wondering who made what decisions, and why everything is so wrong.
I am John Hurt.
This usually works;
"Em, sorry to interrupt, but there are some policemen here?
They say they need to speak to you about some irregularities in the pension fund."
http://www.youtube.com/watch?v=UxVivkXUfdU
"Kill 'em all and let Root sort 'em out"
Every day I look at my server logs and see all kinds of "attacks" I'm not sure 5 minutes go by without another wp-admin attempt. I suspect that these are probing known easy attacks. So if I were running IT for a company I could make it sound like this was trench warfare WWI style. It would almost be funny to have an air raid siren going off every time one of these attacks came and having a fire pole for the Admins to slide down.
Seeing that these various "attacks" have various goals it can be hard to even define "Penetrated" If their goal is to scrape all the content from a site and they succeed, or if they wanted to get past the spam filters and post something spammy. Then should that be something you alert everyone about? It starts to become clear at a certain point such as the attacker logging in with root access. But what about a spam post that managed to have some active javascript that popped up a casino ad? Or an SQL Injection that resulted in a spam post being approved? SQL Injection is bad but spam is just another day in the office.
Then you have other fuzzies. DDOS attacks that slow things down. DDOS attacks that slow things down that give a competitor an advantage (such as slowing down a brokerages trades stratigically) or a DDOS attack that simply requires a new server (or 10) so you stop caring about it?
Up to a certain point what constitutes a security problem can be very fuzzy. In theory if you have a weak honeypot machine that when attacked cuts the intruders out of the rest of the network you might have an awesome strategy but could be reported(by some auditor looking to get the contract) as having a "weak link" machine that was woefully under-secured and regularly compromised by intruders unknown.
In over twenty years I have yet to work at a company that gives a poop about long term concerns like security. Oh I'm sure they will work themselves into a lather when a breach actually happens but after the temporary patch work hacks are put into place then it's back to biz as usual. Disturbing and sad reality.
As someone who has been working in IT for almost two decades, I'm not the least bit surprised. There are all kinds of things that we've given up on trying to communicate. People don't want to hear it. They don't understand what you're saying, they don't want to figure it out, and if you can get them to understand, they still don't care.
In the case of security, it falls into this classification of 'technical things nobody even wants to understand' and also into the classification of 'preventative measures that people will not recognize the importance of, until after it bites them in the ass.' You tell people that it's a bad idea to use "password" as your password, and they'll blow you off. The more you stress the point, the more annoyed the'll become-- all the way up until someone malicious gains access to their accounts. Once they've been hacked, they'll come back angry, demanding, "Why didn't anyone tell me it was a bad idea."
Until there's an actual security breach, people think you're chicken little. They'll tell you, "I've been using 'password' for my password for 10 years and I've never had a problem."
Face that kind of attitude for a several years, and you get awfully tired of warning people.
Deal everybody (IT and Management)
Never use anything that is reversible to store passwords. Salted hash. Always.
There is a big difference there. IT Staff does one thing and IT Security Staff does another. They must work together though. As a malware remediation consultant, I can confidently say 95% of the organizations out there (mostly small to medium sized ones) do not have any comprehensive understanding of good security procedures or what to do when they are compromised. No clue. What-so-ever. This goes way beyond complex passwords and VPN servies. Most organizations that don't understand IT security, or have a department or person focused on it, have no clue they are infected until someone else comes and tells them. At which point, they have no clue what to do. Because they don't see the risks, they don't educate their management to the risks. As a result, they never get the funding to buy tools and equipment to help keep their networks secure.
The most successful organizations I have helped actually have the C-level guys throw special happy hour celebrations when they catch a spearphishing email and dont click on the link, or something else along those lines. This only came after they had a "hundred million dollar" breach and learned a very hard lesson.
6x% said there was a communication problem. 61%, or almost all with a problem, said it was too technical for management to understand.
One commenter talked about trying to explain escalation attacks and ssl issues to the boss. Yeah, my boss wouldn't understand that either. He does understand BUSINESS RISKS. If I point to a WSJ or Forbes article about a company that got owned and say "we are vulnerable to the same thing" he'll understand that. He doesn't understand SSL ciphers, he's not supposed to. He does understand "PR nightmare" and "noncompliance".
If I want business managers to do something, should I maybe explain the business case for what I'm proposing? Maybe point to a line in the WSJ article that says "the attack is estimated to have cost the company $2.4 million so far. No word yet on when their services will be back online". Perhaps that's what management understands better than the technical details?
There are probably thousands of potential new risks per day for all applications within a company. Executives want a summarized one sentence status of security and not a detailed list of possible risks. It is IT/security's job to weed out noise, then prioritize/evaluate risk. After that action is determined.
I hope you all saw the ca-certificates package that was just pushed out. You installed it without looking, too, didn't you?
"Please note that Debian can neither confirm nor deny whether the
certificate authorities whose certificates are included in this package
have in any way been audited for trustworthiness or RFC 3647 compliance.
Full responsibility to assess them belongs to the local system
administrator."
Management won't listen to anything regarding security until there's a personal fine associated with it. In fact, ignoring IT's comments allows them to claim ignorance. If you want upper management to pay attention to security risks, make them liable. Until then, IT is just another fall-guy when stuff breaks.
Exactly what I was going to say, but I only had 5 years in IT long ago. Most the nature of IT is unlikely to change; the big issues are rarely technical in nature... people and culture change so slowly it seems almost static relative to technology.
I would add the problem with management is they often are short sighted (except the founder) and do not want to invest in the hypothetical. They don't want to comprehend enough to actually be able to weigh the risks in their "thinking" on such matters - if you make the decisions for them they are OK as long as they don't become aware of it.
Democracy Now! - uncensored, anti-establishment news
In these times, they don't feel that there's a "disconnect between layers of management". They fear reprisal for exposing their bad security.
schedule, budget, (on , off, ahead)
headcount
anything technical is blah blah blah, until one of the words above is mentioned.
and quality is given lip service at best
security is pasted and spackled on at the last minute
signed, a unix/open systems deployment veteran with 20 plus years of putting out running solutions despite management
and currently NOT employed, (tired of beating my head on wall in frustration)
getting a BOFH retooling refresher course and shopping for a bigger tape vault
The only way I've been able to implement proper security at any site has been from the ground up. You find a couple of developers or application support folks with a clue, and get their systems and processes into shape. At the same time, streamline and increase stability. Hopefully other teams will see the benefits of your changes, and follow suite. The only security that comes from on high is security theater, e.g. PCI compliance auditing, which never addresses any real security issues, only check boxes to justify the auditor's fee.
The only thing worse than a Democrat is a Republican.
"This e-mail is about my _________ concerns. It is my understanding that I am not funded to replace _________ with the latest version due to budget concerns. As such, I will leave _________ at its current version, ___ until it is reviewed during _________. If this is incorrect, please reply."
---- The above post was generated by the Turing Institute. Maybe.
To take that a step further, it would be interesting to see what happened if those complaining of poor communication emailed their boss saying:
You may have seen the Forbes and WSJ articles related to the security breach at XYX Corp.
We are currently at risk for the same type of issue. I estimate a 6% chance of a breach in the next three years which would cost the company around $1 million,
so we have an actuarial liability of $60,000. If we secure the system, I estimate the risk would be reduced to 3%, eliminating $30,000 of the liability. I estimate the cost as $4,000 to eliminate that $30,000 liability and much of the $1M risk.
That you you are presenting management with this decision "do we want to save $30,000 by spending $4,000?" That's not too technical, that's exactly
the decisions they are trained to make.
Looking at it that way can also teach we engineers something. We might estimate the cost of a breach at $30,000 with a 1% chance of it happening. That's a $300 liability. If it would require 10 man-hours to fix, including meetings and stuff, the company would lose a lot of money trying to fix it. (Remember people cost approximately double their salary, once you pay for health insurance, taxes, their office space, etc.) Management would be "right" to simply accept the risk, knowing that bad might happen, at a cost of $30K. Better to risk a $30,000 problem that probably won't happen than to spend $2,000 avoid it. (Best would be to make a note to fix it in the next version / rewrite, when the _extra_ cost is only 1 man-hour.)
I've been in IT-Security for about a decade now. I've had my share of consulting jobs and inevitably a poor security communication comes down to one of three reasons:
1. Ignorance at management levels
2. Blame-shifting
3. Blinkered management
Let's shed some light on them.
One is easily explained and I guess everyone can tell at least one tale of them noticing something being horribly wrong in their IT setup, dashing to their superior, reporting the finding and being met with a blank stare and a "huh? Erh... ooookay... we ... I mean, I will look into it...", leaving you with the feeling that entrusting your superior with a problem is like dumping a baby into a trash can. When this happens more than once, IT becomes complacent as well. Management doesn't give a fuck, so why should we?
The second is actually worse, but rather common around Europe in my experience: The person who reports the finding gets the blame. Directly or indirectly. Either they get chewed out why they could let that happen (whether it is actually in their responsibility or not), or they are now seen as some sort of management snitch with his peers 'cause he ratted them out and now someone gets the blame. This is usually the case in companies where finding a culprit has a bigger priority than finding the person who can fix the problem. It's amazing how often that is actually the case.
And finally, management that just doesn't give a fuck. It is usually somehow tied with the first case, ignorance of the importance and size of a problem is tightly coupled with the willingness to ignore it altogether and wish it away.
In a culture like that, NOBODY is very keen to report problems. It's time management starts to understand that problems are part of the game and nothing that can easily be avoided. The human factor is always in play when work is done, and humans err. By definition. Anyone claiming he doesn't make mistakes simply does not work. It is that simple. Only if you don't work you cannot make mistakes. So mistakes will happen and problems will arise. It is now very pointless to start pointing fingers and spending resources finding the culprit, because after we found him we still have the problem on the table! We can do that AFTER the problem is solved. That not only gives the person responsible for it the chance to fix it themselves, but it is also the sensible order of doing things. First get the problem fixed, then you find a strategy to avoid repeating the mistake. Yes, that may include replacing the person responsible for it, but first of all we should find out just WHY he made that mistake, WHY it was possible for him to make it (actually, 9 out of 10 times it's NOT the person's mistake, it's a mistake in the process. But it's just easier to fire some easily replaceable worker than the process manager...) and HOW we can avoid making it again. Just replacing someone does NOT fix a problem if the process behind it is shot, because the next person will make the SAME mistake again.
But I ramble, back onto security reporting.
Companies need to establish a culture of security awareness amongst their workers. Security is the minimum of technical and staff security. The MINIMUM. Not the average. I can have the tightest security system in the world if the users hand out their passwords to anyone calling. Of course, preferably the human factor would be taken out of security altogether, but that is not easily possible. Security reporting must be a process, and a process that is rewarding for the person reporting. Someone reporting a security risk must not be seen as a "problem maker", as he often is. He upset the apple cart, he put sand into the gear, he makes the machine run wobbly. Everything went smooth and then that idiot comes along and says we're insecure. So what, anyone see anything bad happening? This is, sadly often, the approach taken to ITSEC. We have to understand that someone who reports a security problem is not "making" this problem but actually helping us avoid a much bigger problem.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Many people working in IT dislike confrontations. They just want to get on with what they know they need to do.
They will make an effort to communicate security risks, but if they are rebuffed and they have sufficiently covered their ass ... then they will be tempted to follow the instructions of their superiors to the letter (ignore whatever they were told to ignore).
Which means sitting back and watching the fireworks. Passive Aggressive - an unfortunate but accurate description of me and many like me.
If upper management is worth a dime they'll play that ball back into your field and ask you what's to be done.
That's basically what I do when IT comes with a problem I don't instantly understand. What is the problem? What is the implication? What can be done against it? What can you do about it? What can I do to give you what you need to do it?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Adversarial is the key word here. Business doesn't view security as an entity trying to protect them from liability, get them on par with industry norms, and maybe even create some efficiency and ease support burdens, they view security as an impediment to signing the contract. Your own security team is just trying to save you from yourself...arguing with them as a proxy for the customer doesn't get you anywhere but into even more trouble.
A smart boss would ask you to explain the significance of the "too technical" stuff that you are trying to explain. If the boss doesn't understand still doesn't ask why you think something is important then he is just as much to blame for the communication failure.
The real "Libtards" are the Libertarians!
Around here, security rules. Adds and changes to apps go through security review, separate standards are published and enforced, and all this lives inside a secured perimeter that is well monitored and regularly improved.
My own workstation refuses most removable media, and if I can get one attached, my senior and not-so-senior managers get email alerts that this was done. Yes, this impacts an old app that expects to save to a floppy, even the SUBST command trips this alert. Flash drives etc don't work any more.
Besides full disk encryption and the usual passwords and signons, only one of my current passwords lives for more than 15 days.
I regularly do battle with app teams to accommodate our users needs to enter valid and accurate data despite restrictions on characters etc. Since SQL injection attacks still succeed, they need to jump through the hoops to sanitize data. And they do, with much grumbling. They would rather point to security and refuse us, but people do have apostrophes in their names occasionally, for instance.
Before this, I did work with small businesses. They are sensitive to cost, and it seems there is just no way to be well-secured without spending a lot. I left that business just as SAAS started to gain traction. We call that the Cloud now. I'm glad I don't do Cloud. It was bad enough when I screwed up, but to explain it wasn't me? The boss wasn't interested, I was responsible, even if I didn't approve of the provider. But that's par for small business, and a lot of mid-sized also.
Security is just impossible now, a losing game if you can't sign on with a massive provider or hire yourself a few PhDs.
deleting the extra space after periods so i can stay relevant, yeah.
In the bureaucratic world, I've only seen two kinds of security: nonsensical and nonexistent. On the whole, I prefer the latter.
That is the answer I get when discussing any risk management or business recovery issues with management. When I ask to review the policies I am told its taken care of. I know for a fact that some items on typical insurance policies like say backup and recovery are not implemented or tested (it cost to much).
Until there is a set of guidelines for small/medium business I fear no change will take place.
I report security issues to my immediate manager/supervisor and make note of when and what I did in my journal. After that its no longer my problem.
It's amazing how many companies actually do this. Even had a company once ask why I was the only one having a problem, (they wanted us to do a tour that took an hour and a half, every hour). Everyone else was just faking the paperwork, which is what I went back to.
I will also add that I never go directly to the executives or even business/product management, I follow the process, which means Manager and BA since its their job to communicate with the business/executives, not mine.
Now if an executive asks me a question, I will answer straight up to the best of my ability, but I never go to them.
if it wasn't for the other people.
Tough luck. You are not your own company. Sure, there are good managers and there are bad ones. Just like there are good IT people and bad ones.
Many IT departments I have been in contact with don't listen "Please follow procedure." without any reasoning. 10 different logins that they choose with different password rules for each of them. Next they moan if I call for a reset.
I have seen how they did a annual presentation of their department with a one page excel sheet. I have seen an IT department tell everybody to leave the building and go home, because there was a computer virus. Inadequate people are everywhere, including in IT.
I have seen bad management teams as well. Looking for whatever they were looking for and not listening to reason. IT department who told they could save a LOT of money, but no reaction what so ever. Investing 60 EUR was prohibited, because nobody cleared it and thus at least 120EUR per day was lost. Meetings of several hours of the brand of coffee that would be bought for 50 people.
So unfortunately it comes all down to interacting with others. If there is a dialogue possible, it all went well. If no dialogue was possible, it all went to shits.
Don't fight for your country, if your country does not fight for you.
Ya, right, it's the communication fault of the technical people, bullshit. That's the canned excuse Business people use. In order to preserve that excuse they have no desire to understand.
> If the boss doesn't understand still doesn't ask why you think something is important then
> he is just as much to blame for the communication failure
That's true for ANY communication failure. What does blame get you?
If I'd like to get something done, I can either communicate it in a way that gets it done, or not.
It does me no good to go about it such that it fails and I can blame the other guy.
Blame and $2 will buy a cup of coffee ($8 in California).
It is the "Ding Culture", nobody wants to get "dinged".
I started off my career with the ethic of being completely honest about what I could do and could not do. If I found a flaw or mistake in my code, or someone else's I would report under the belief it would prevent problems and be welcomed.
Then I had a job where if I mentioned a problem, even before it occurred, I would "get dinged".
So I learned to keep my mouth shut and fix things on the sly.
You can't expect to have open communication if you penalize people for what they might say.
I warned company execs to exactly these kinds of risks. I angered the president of the company to the point that I was laid-off as soon as he had the paperwork processed. I was surprised he didn't fire me on the spot. That's how badly he demanded that engineering and manufacturing be moved to China. He refused to hear of any risk to company intellectual property. He knew the value of his stock options depended on doing what he, in the end, did.
I got "turfed" for all my hard work. This, after I spent 30 years in the industry and provided product development engineering talent and software technologies that contributed directly to much more than 100's of millions of dollars on their bottom line each year.
Is there really any question why people won't communicate these kinds of things "up stream?"
Should it not be management's job to know that security vulnerabilities lead to business problems? Why is it IT's responsibility to learn business management, legal requirements, etc?
If I go to management and say "the fire escape is broken" it is their responsibility to deal with it and understand the consequences (that is what they're paid the big bucks for after-all). I don't have to go through case law, reports and news story and provide them with a powerpoint documenting that company X got fined 50 trillion dollars for having a broken fire escape and we have an P% probability of having the same happen.
Yes, but that would require the techie to understand the management speak in the article.
There's the problem again.
(Spudley Strikes Again!)
If you are asking for resources to be spent to avoid a particular risk, you either have the professional knowledge to discuss the level of risk, or you're talking out your ass.
How can you get that knowledge? We logged just over 10,000 brute-force attacks last year on the x,000 sites we monitor. I can query those logs to provide various numbers. So logging is one way. The major security lists get several reports per day. MMonitoring those lists will help you understand the threats - how common they are, how costly they are, and how to mitigate the risk. Sometimes engineers focus on mitigation, but knowing how to mitigate risk is pointless until you know which risks you should be focused on.
Suppose you don't have time to learn about all that. You probably don't have time to learn about a lot of things, so you listen to some experts. Bruce Scheiner or myself might post something you'll want to read and feel you can trust. If we security professionals do our jobs right, we'll include some risk assessment data. You can always ask us questions. Every three years, you might call one of us in to look at your systems and provide some specific recommendations, along with information about WHY we recommend those things.
I don't know about you, but I HAVE hard data to base my estimates on. If you don't, a professional opinion giving a rough estimate isn't "made of whole cloth". If you're making recommendations, you should be able to say with some confidence that an SQL injection attack on a public web server is at least 100X more LIKELY than having your WAP cracked. Management may not know that, but somebody in IT should know it and be able to communicate it to management.
Last time I communicated security risks to an executive, I was told to shut up. The owner/CEO had been using "bob" as his password for 30 years and wasn't about to change it, or allow password complexity policies because of some "theoretical risk." ...if only I'd thought ahead and gotten his E-trade username before I quit...
Perhaps they should do this and that. They aren't reading this thread, so talking about what they should do is not helpful. ...
What can we nerds do to help the situation? If speaking in terms of business risks solves the problem
You see relevant news stories on CNN / MSNBC / Fox. How hard is it, really, to send your boss the link with a note saying "I noticed we're vulnerable to this. I'd like to discuss securing our systems from this type of problem"?
It's too much information. I don't care how it works. Just fix it.
It isn't that management doesn't care, or doesn't understand (which probably happens a lot anyway), it is the fact that the things they DO care about and DO understand are all negatively effected by "Security" issues.
Basically application development becomes more complex, expensive, cumbersome, requires more approvals, documentation, oversight, etc...
All things that a manager doesn't like to hear all summed up in a word. Combine this with FOI and privacy, well he is in for a bad day.
Oh and it has to be hosted on a more expensive server that is harder to get to, and is inconvenient for all your clients, and other applications to talk to, requires additional regular IT support you are required to pay monthly, etc....
So yeah, when you work for a boss that "doesn't want to hear it", likely he only does when he absolutely has to (and some might have subjective degrees of when that is).
The finance department doesn't communicate when they have taken risks that might cost people their jobs or the company entirely.
HR doesn't let you know how much you should be paid to be paid fairly or what benefits you should get much less what other people get.
Accounting doesn't tell you when the company gets behind on payables and vital services are about to be cut off.
Marketing doesn't tell you when they've botched everything and blown the company cash reserves on a hack job SEO contractor and sales database.
Management doesn't warn you before layoffs.
Security guards don't tell the rest of the company when their cameras are broken.
The cafeteria doesn't tell you when they might have undercooked the chicken.
Seriously, somebody missed the point of specialization. Yes, more communication would be better, and that is why we have so many middle managers. Unfortunately, that field of specialists are the leftovers and weakest at their jobs. Good thing they aren't actually critical, but downsizing them out has always proven difficult. The point of a department is to take care of a given scope of operations and to take the burden of worrying about such things off the other employees.
But don't you see the problem there? Your boss doesn't listen to you. Your boss listens to WSJ and Forbes. Why?
And saying that "the boss speaks business, the tech speaks geek" doesn't quite get to the heart of it either. If the parties valued the communication, they would talk it out and reach an understanding. I suspect that the parties (either or both) don't care enough to reach that understanding.
Look, we have to be real here. I've been in IT 25 years and during that whole time I've been reading about one technical risk or another. There have been thousands over the years and security is the job that never ends. If I notified management of every issue they'd think I was the Boy Who Cried Wolf.
The next issue is, for the techs, it's not at all easy to measure what the actual risk of any given exposure is. Most of us aren't security specialists and even for those who are, measuring the risk exposure is a mug's game. Even ranking them is tough. That's one reason why I liked the SANS Top 10 list.
From the business side, the security message is a bad news story. Either the company spends money to prevent/control/mitigate the risk, or it accepts the risk of the exploit. Simply knowing about the risk imposes liability upon management. It's bad news all around. We can decry adolescent behaviour on the part of management but in strictly human terms, it understandable that they might want to simply run away and stick their head in the sofa. If the boss is an A-Hole, then this correlates to blaming the messenger.
The article's talking about IT staff not communicating security risks. But my argument would be Most IT staff do not have sufficient understanding security risks.
They may understand that certain bad things can happen.... but do they actually know how likely they are? NO.
IT staff can give you some idea of what some of the risks are, but only from a limited perspective.
To have a full understanding of risks, you need more than a technologist's point of view.
You need both the technologist's understanding of the risks, AND an understanding of the statistics and research in the field of security. Security risks should be evaluated by personnel who are equipped to do it, not by IT.
One of IT's jobs should be to confer with security personnel, and security personnel can ultimately check the research and run the internal studies to make the necessary findings about extent of risk, and help senior management come up with the appropriate strategy that balances all the various risks and mitigation costs.
From TFA:
Changing this paradigm will require security professionals to develop new communication skills so they can talk about security risks in terms that are clearly relevant to the top-level business goals
Here is another possible outcome: change the executive and get people that actually able to understand what is going on in their company, and what their employees are doing.
True, I skipped step 1 "get a few levels above helldesk".
However, if you can speak business, or translate a little bit of techspeak into something that makes business sense and do it in front of a mid-manager or above, that may help you GET into a position where you can do so regularly.
jablowme?
If you report all security risks to management, they will rebuff your assertions with half-truths, and things they misunderstood, or simply made up. They will also treat you like a raving loon. Most actually have to see damage done, and even in the face of a current ongoing external security breach, most would somehow make up some kind of story to blame the IT person for it. I have no doubts for example that when TJ Maxx installed WEP on their WIFI routers, someone alerted them, but was told to 'keep pushing your wire into things, and leave business configuration to people who wear ties'. Later they lost billions, and caused immense security and monetary headaches for dozens of banks, but refused to accept any blame themselves. But getting back to the general discussion: why speak to them if they won't listen? You can't get away with "I told you so" after damage has been done, because they will claim 'they didn't (and still don't) understand all of this computer gibberish'.
Everywhere I've worked (as a sys admin or network engineer) we've always voiced our concerns and it is always the 'adversarial' problem. Management has a problem with the 'security through obscurity' thing, where they think no one outside the company knows the companies network exists. You can talk till you're blue in the face, but they won't listen. They even make statements about the firewalls just wasting the companies money. Last place I worked they insisted that 'password' was a good enough password for people to have, and removed a rule that didn't allow it. The main people who pushed it were the IT manager and the infrastructure team leader (who was an MS Server Admin - you'd think they'd know better). There were some other stupid decisions I won't go into, but whenever a new manager comes in and starts to pull apart/destroy the security of the network, it is always a good time to leave.
Sure enough, the cow costume was hanging up next to the superhero outfit and sailors uniform. (S,Spud)