Survey: Most IT Staff Don't Communicate Security Risks

CowboyRobot writes "A Tripwire survey of 1,320 IT personnel from the U.S. and U.K. showed that most staff 'don't communicate security risk with senior executives or only communicate when a serious security risk is revealed.' The reason is that staff have resigned themselves to staying mum due to an environment in which 'collaboration between security risk management and business is poor, nonexistent or adversarial,' or at best, just isn't effective at getting risk concerns up to senior management."

one-way street

[X0563511]

IT would love to, but upper management doesn't want to hear it.

Re:one-way street

[intermodal]

Or, more to the point, they don't understand it even if you try to tell them. And many in upper management, if you communicate the problem, will immediately turn it on you, wanting to know why you haven't fixed it already.

Re:one-way street

[robinsonne]

Exactly.
Management doesn't want to hear about it.
Management doesn't understand it.
Management doesn't want to spend money on it.

Nothing happens until it becomes an "issue" and then it's somebody in IT who gets the axe while everyone above is covering their asses.

Re:one-way street

[Shoten]

IT would love to, but upper management doesn't want to hear it.

Partially true, but not universally so. The problem is more that technical staff speaks in terms of technical risks, while upper management thinks in terms of business risk, and the two are not obviously aligned. It's like a patient who wants to know "how bad it is," and the doctor answers in terms of probability of due to . The key is to be more proactive about it, and to qualify where a business/organization is strong or weak in terms of security, while providing a plan to improve things down the road. It's impossible to tell someone what the odds are of X being compromised due to Y risk, resulting in Z cost; the best you can do is look for weaknesses and then come up with a plan to prioritize and fix them. Upper management understands the need to be secure, but they need to be given something they can understand and act on or approve. They won't make decisions based on things they don't understand (if they're smart).

Of course, if compliance comes into the picture, then the risk definition changes. It no longer becomes about risk of compromise, but risk of fines due to noncompliance. This makes it very easy to categorize the risk and communicate it...and as a result, compliance-based security spending is very high compared to security-based security spending.

Re:one-way street

[Moryath]

This, this, a thousand times this. Upper management are always deliberately clueless about security, unless the company is in the business of security.

Actually having security means:

- Management has to bother complying with it.

- Management has to NOT constantly carve out exceptions to it ("I'm the CEO, I'm too important to have to remember my own goddamn password or take 5 seconds entering it into a computer in the morning! Now where's my intern to deliver my coffee and morning blowjob!")

- Management has to spend the money on the maintenance and monitoring of it.

- Management, who have the purchasing / decisionmaking power, have to step away from getting blowjobs from pretty interns long enough to actually look at the competing products/options and make a decision.

- Upper Management will always privilege Middle Management over those whose job it is to deal with security. See point 2 about exceptions: middle management complains "security makes it impossible to get our work done" and the response from Upper Management is never to have the staff spend some time training and understanding the security and why it's there and how to work WITH it, it's "fuck you security why are you getting in the way of business? Shit, I'm taking time off from my two-blowjob lunch to deal with this!"

And just TRY to talk to them about two-factor identification (via cellphones or a swipe-card or something). You will get nowhere because the brainless, Peter Principle, Fail-Upwards recipients of CEO/CTO/CFO jobs will say it's "too much work" for them to comply with.

Re:one-way street

[Moryath]

"Why haven't you fixed it yet?"

- Because we're coming to you right now to get authorization to spend the money required to fix it.

"Rarglkebargle that's too expensive, find a free solution instead. Now where's the intern for my morning blowjob?"

- There is no free solution. It takes time, hours, and a certain amount of training for the staff to get them to understand and help them comply with the security policies.

"Rargle I'll just find someone else then. Fuck you, you're fired. Time for my powerlunch with the other cocaine-addled executives! Hey, I just saved the company your salary! I think I'll award myself some stock options for my brilliance and frugality!"

Re:one-way street

[JustOK]

The risk of this vulnerability is 2.5 Snowdens.

Re:one-way street

[Moryath]

They're CEOs which means they are Fox-addled GOP types. Quantify it in Obamas and all of a sudden they'll spend everything in the world to get rid of it.

Re:one-way street

[Feyshtey]

Or worse, their ignorance spawns knee-jerk reactions that cripples wide swaths of the workforce's productivity.

"What!? There's IIS vulnerability on serverXYZ ?! Uninstall all IIS on all systems immediately!"

Re:one-way street

For my own experience, having brought security concerns to 'responsible' adults during my formative years in school, I was trained that doing so instantly results in demonization of the messenger. NEVER EVER point out that the emperor has no clothes.

This is fairly common in schools, and other organizations. How much does this behaviour train people to silently ignore security issues when discovered for fear (often well earned fear) of unjust reprisals for bringing them to the attention of those who are 1) most affected 2) responsible to prevent/fix these issues?

Re:one-way street

[NatasRevol]

That sounds like it would help productivity.

Re:one-way street

[Shoten]

And that is the crux of the matter. Risk must be quantified in the units that business decisions are made - dollars. Beyond that, risk needs to accurately assessed to the point of what is the likelihood and not what is possible. Once we know the likelihood and the cost, decision makers will be able to make their decisions.

Ah, but here's the problem: It can't be done.

Explain to me how you will take risk and quantify it in dollars, when the attacks, the attackers and the vulnerabilities are changing over time. Explain to me how you will take the complexity of an environment with multiple critical paths...which will have changed by the time you're done mapping all of them, by the way...and map the vulnerabilities (all of them...you'll need to know this, obviously, and good luck with that) against those, in combination with a full on threat assessment of all the threat actors who may be interested in the organization as a target. Explain to me how you'll actually come up with a probability of compromise for every threat and vulnerability, and a cost for each possible kind of breach. Oh, and since capital planning will be determined using this, you need to predict, with a fair degree of accuracy, how all of this will change over the next 36 months (including guessing correctly about which capital budgets for other business functions will be approved).

This has been tried; it does not work. It costs an insane amount of money to do it, and this is why none of the security frameworks (CMMI, ITIL's security subset, COBIT, NIST SP800-53, etc.) try to do it. That's why you have to instead look at where you are weak overall, and work on improvement in general terms. There's no way to get to discrete numbers when it comes to this form of risk, because there are actual people on the other end of the equation, trying to change the numbers. It's not like most other forms of risk, where the outside cause is non-sentient and fairly quantifiable with actuarial means.

Re:one-way street

[Talderas]

He just wants a blowjob.

Re:one-way street

[Jane+Q.+Public]

"Partially true, but not universally so. The problem is more that technical staff speaks in terms of technical risks, while upper management thinks in terms of business risk, and the two are not obviously aligned."

Balls.

If your upper IT management is not also business-savvy, you have the wrong people.

I have run into this personally, and also seen colleagues go through it. It tends to go something like this:

IT: "Mr. Manager, sir: the login system I inherited from my predecessor stores passwords in plain text. This is unacceptable, because it puts the company at risk of liability should we ever be hacked."

Manager: "Haha. Who would bother to hack us?"

IT: "You never know. That's the problem. But in the unlikely event that we ARE hacked, we could be liable because the system is not properly secured."

Manager: "How much will that cost?"

IT: "Mmmmm.... let's see. 40 man-hours to make the code changes system-wide, and 20 man-hours to roll out the database changes. Part of that is to set up a system to send out a mailer to all the users to change their passwords, pages to handle that, and to deal with the traffic that will generate. Say, roughly, $8000 realistically, over a period of two weeks."

Manager: "Haha. Not bloody likely."

IT: "But the company could be liable for millions."

Manager: "It's simply not a problem. Go away."

Re:one-way street

[mlts]

In some companies (mainly seen this in educational institutions), there can be fault finding, "What, there is a vulnerability? Who was the last man in charge? Fire them!"

I've seen many people in IT who stepped up and reported security issues, only to get a target painted squarely into their backs and pretty soon after, shown the door with a black mark for their resume of "communicating to others about bypassing company security controls" or some other tales.

A lot of places will not hesitate to shoot the messenger.

In cases like these, if the hole has to be fixed ASAP, one can send anonymous E-mail to all IT people (through a long Mixmaster chain) about the hole. Then, it will get cleared up quickly, but most likely a witch hunt would ensue internally. Of course, this has a high chance of backfiring since a blamestorming session will soon to follow with someone getting to boot.

Re:one-way street

[DarkOx]

Or, more to the point, they don't understand it even if you try to tell them.

I call BS. I know this is contrary to widely held Slashdot opinion but for the most part people don't get into upper management without know which side of the bread to butter. Sure there are cases where you have the "Vice President of being the CEO's step son" and "Chief Flirt with the Ownership" and its true lots of people are promoted to their level of incompetence; but upper management is mostly as smart you probably are and with better social skills.

If they don't understand its because you talking to them at a detailed level on topic you have lots of time in learning invested in and they don't. If your sentence ends with "... and then after a short no-op sled BAM!" you probably are doing it wrong.

They want to know know about risk. What is likely hood someone could and would exploit the vulnerability. What harm can happen if they do. Then if you get a question like "but I don't understand I thought we had a firewall" You can answer with analogies like; "well we have guard that normally sits up but the front entrance. He makes it hard for people to come in and walk out with stuff normally; but if the latch is left broken on the dock door someone might pull up toss a bunch of product in the back of pickup and drive off before he even get to the other end of the plant to do something about it"

Holy buzzword Batman!

[guytoronto]

"However, it's clear from this report that most organizations are missing the majority of opportunities to integrate security risks into day-to-day business decisions. Changing this paradigm will require security professionals to develop new communication skills so they can talk about security risks in terms that are clearly relevant to the top-level business goals."

Is it possible to cram any more buzzwords into that paragraph?

Re:Holy buzzword Batman!

[intermodal]

They forgot "synergy" and "best practices".

Re:Holy buzzword Batman!

[Compuser]

"However, it's clear from this report that most organizations fail to properly consider security risks when making day-to-day business decisions. Changing this will require security professionals to talk to upper management about security risks in terms that are clearly relevant to overall business goals."

Re:Holy buzzword Batman!

[i+kan+reed]

Oh god, when they say that in person, to your face, and mean use email to discuss it, it's time to shrivel up and die.

Spoon fed

[barista]

I send out security risk info to our employees every so often, but not all the time.

Send them out too often, and you risk being ignored. Send them out infrequently, and people say they weren't warned. Once a month seems to do the trick where I work. Management actually encourages this since it keeps people aware without becoming annoying.

Shoot the messenger

Yes, I did stop communicating security risks eventually. I'd say I stopped after the 10 or 20 thousandth 'So what?' from management.

Security = Liability

[sinij]

Security = Liability. There is no other way to look at this from the bean-counter point of view. This is why all organizations need CIO, someone who is capable of translating "if we don't do X, we going to get pwned" into "if we don't spend X$ and Y man-hours, we are exposing our business to $Z,000,000 -sized liability".
 
  This problem boils down to techies and suits not speaking the same language. So someone has to translate.

Re:Security = Liability

No, it's not a language barrier. The problem is that techies cannot tell management what the management does not want to hear. Even if the techies translate perfectly the message "this will cost you $$$ but it MIGHT save you $$$$$!" simply don't work no matter how true the message really is.

Re:Unless I misunderstand things.

[Impy+the+Impiuos+Imp]

DAMMIT wrong thread!

This was supposed to go in the helicopter RV kills guy thread.

nothing to see here, move along folks.

Oblig Dilbert

[PPH]

here.

Of course not.

[nine-times]

As someone who has been working in IT for almost two decades, I'm not the least bit surprised. There are all kinds of things that we've given up on trying to communicate. People don't want to hear it. They don't understand what you're saying, they don't want to figure it out, and if you can get them to understand, they still don't care.

In the case of security, it falls into this classification of 'technical things nobody even wants to understand' and also into the classification of 'preventative measures that people will not recognize the importance of, until after it bites them in the ass.' You tell people that it's a bad idea to use "password" as your password, and they'll blow you off. The more you stress the point, the more annoyed the'll become-- all the way up until someone malicious gains access to their accounts. Once they've been hacked, they'll come back angry, demanding, "Why didn't anyone tell me it was a bad idea."

Until there's an actual security breach, people think you're chicken little. They'll tell you, "I've been using 'password' for my password for 10 years and I've never had a problem."

Face that kind of attitude for a several years, and you get awfully tired of warning people.

almost all said "too technical". Wrong words, then

[raymorris]

6x% said there was a communication problem. 61%, or almost all with a problem, said it was too technical for management to understand.

One commenter talked about trying to explain escalation attacks and ssl issues to the boss. Yeah, my boss wouldn't understand that either. He does understand BUSINESS RISKS. If I point to a WSJ or Forbes article about a company that got owned and say "we are vulnerable to the same thing" he'll understand that. He doesn't understand SSL ciphers, he's not supposed to. He does understand "PR nightmare" and "noncompliance".

If I want business managers to do something, should I maybe explain the business case for what I'm proposing? Maybe point to a line in the WSJ article that says "the attack is estimated to have cost the company $2.4 million so far. No word yet on when their services will be back online". Perhaps that's what management understands better than the technical details?

"6% of $1M loss = $60K, can be avoid for $4K"

[raymorris]

To take that a step further, it would be interesting to see what happened if those complaining of poor communication emailed their boss saying:

You may have seen the Forbes and WSJ articles related to the security breach at XYX Corp.
We are currently at risk for the same type of issue. I estimate a 6% chance of a breach in the next three years which would cost the company around $1 million,
so we have an actuarial liability of $60,000. If we secure the system, I estimate the risk would be reduced to 3%, eliminating $30,000 of the liability. I estimate the cost as $4,000 to eliminate that $30,000 liability and much of the $1M risk.

That you you are presenting management with this decision "do we want to save $30,000 by spending $4,000?" That's not too technical, that's exactly
the decisions they are trained to make.

Looking at it that way can also teach we engineers something. We might estimate the cost of a breach at $30,000 with a 1% chance of it happening. That's a $300 liability. If it would require 10 man-hours to fix, including meetings and stuff, the company would lose a lot of money trying to fix it. (Remember people cost approximately double their salary, once you pay for health insurance, taxes, their office space, etc.) Management would be "right" to simply accept the risk, knowing that bad might happen, at a cost of $30K. Better to risk a $30,000 problem that probably won't happen than to spend $2,000 avoid it. (Best would be to make a note to fix it in the next version / rewrite, when the _extra_ cost is only 1 man-hour.)

Re:"6% of $1M loss = $60K, can be avoid for $4K"

[dcollins]

The truth is that those probabilities are just totally fabricated from whole cloth. Now on the one hand, it's true that business managers go through the day making decisions in exactly that way all the time. But engineers are more likely trained to base decisions and declarations on actual hard data (with several places of accuracy), and the cognitive dissonance of that same person just inventing numbers to win an argument may be too much to bear.

Anyone wondering why?

[Opportunist]

I've been in IT-Security for about a decade now. I've had my share of consulting jobs and inevitably a poor security communication comes down to one of three reasons:

1. Ignorance at management levels
2. Blame-shifting
3. Blinkered management

Let's shed some light on them.

One is easily explained and I guess everyone can tell at least one tale of them noticing something being horribly wrong in their IT setup, dashing to their superior, reporting the finding and being met with a blank stare and a "huh? Erh... ooookay... we ... I mean, I will look into it...", leaving you with the feeling that entrusting your superior with a problem is like dumping a baby into a trash can. When this happens more than once, IT becomes complacent as well. Management doesn't give a fuck, so why should we?

The second is actually worse, but rather common around Europe in my experience: The person who reports the finding gets the blame. Directly or indirectly. Either they get chewed out why they could let that happen (whether it is actually in their responsibility or not), or they are now seen as some sort of management snitch with his peers 'cause he ratted them out and now someone gets the blame. This is usually the case in companies where finding a culprit has a bigger priority than finding the person who can fix the problem. It's amazing how often that is actually the case.

And finally, management that just doesn't give a fuck. It is usually somehow tied with the first case, ignorance of the importance and size of a problem is tightly coupled with the willingness to ignore it altogether and wish it away.

In a culture like that, NOBODY is very keen to report problems. It's time management starts to understand that problems are part of the game and nothing that can easily be avoided. The human factor is always in play when work is done, and humans err. By definition. Anyone claiming he doesn't make mistakes simply does not work. It is that simple. Only if you don't work you cannot make mistakes. So mistakes will happen and problems will arise. It is now very pointless to start pointing fingers and spending resources finding the culprit, because after we found him we still have the problem on the table! We can do that AFTER the problem is solved. That not only gives the person responsible for it the chance to fix it themselves, but it is also the sensible order of doing things. First get the problem fixed, then you find a strategy to avoid repeating the mistake. Yes, that may include replacing the person responsible for it, but first of all we should find out just WHY he made that mistake, WHY it was possible for him to make it (actually, 9 out of 10 times it's NOT the person's mistake, it's a mistake in the process. But it's just easier to fire some easily replaceable worker than the process manager...) and HOW we can avoid making it again. Just replacing someone does NOT fix a problem if the process behind it is shot, because the next person will make the SAME mistake again.

But I ramble, back onto security reporting.

Companies need to establish a culture of security awareness amongst their workers. Security is the minimum of technical and staff security. The MINIMUM. Not the average. I can have the tightest security system in the world if the users hand out their passwords to anyone calling. Of course, preferably the human factor would be taken out of security altogether, but that is not easily possible. Security reporting must be a process, and a process that is rewarding for the person reporting. Someone reporting a security risk must not be seen as a "problem maker", as he often is. He upset the apple cart, he put sand into the gear, he makes the machine run wobbly. Everything went smooth and then that idiot comes along and says we're insecure. So what, anyone see anything bad happening? This is, sadly often, the approach taken to ITSEC. We have to understand that someone who reports a security problem is not "making" this problem but actually helping us avoid a much bigger problem.

Re:Anyone wondering why?

[petes_PoV]

The person who reports the finding gets the blame.

Also known as "shoot the messenger". It's a common problem throughout the world, that the person who reports a problem (security issue, software bug, licence lapse, theft) gets tarred with it. A lot of management actually promote this way of dealing with issues as it keeps the number of fault reports down - which they get measured against and rewarded for doing.

The only way this can ever, in my experience, get resolved is by having QA as an entirely different management structure: outside of software development, hardware, design, testing, production, <whatever> So a problem does NOT go through an individual's standard reporting structure but through an expedited route, up to vice-president / director level.

Managers hate it, as it removes from them control over their own staff. But it can work by anonymising reports and disassociating individuals from issues. But it needs a strong QA team to resist the pressure for witch hunts and from sales, who see it as a road-block to getting stuff to market quickly

based on professional knowledge or desired outco

[raymorris]

If you are asking for resources to be spent to avoid a particular risk, you either have the professional knowledge to discuss the level of risk, or you're talking out your ass.

How can you get that knowledge? We logged just over 10,000 brute-force attacks last year on the x,000 sites we monitor. I can query those logs to provide various numbers. So logging is one way. The major security lists get several reports per day. MMonitoring those lists will help you understand the threats - how common they are, how costly they are, and how to mitigate the risk. Sometimes engineers focus on mitigation, but knowing how to mitigate risk is pointless until you know which risks you should be focused on.

Suppose you don't have time to learn about all that. You probably don't have time to learn about a lot of things, so you listen to some experts. Bruce Scheiner or myself might post something you'll want to read and feel you can trust. If we security professionals do our jobs right, we'll include some risk assessment data. You can always ask us questions. Every three years, you might call one of us in to look at your systems and provide some specific recommendations, along with information about WHY we recommend those things.