Slashdot Mirror

← Back to Stories (view on slashdot.org)

Survey: Most IT Staff Don't Communicate Security Risks

Posted by Soulskill on from the most-execs-don't-listen-anyway dept.

CowboyRobot writes "A Tripwire survey of 1,320 IT personnel from the U.S. and U.K. showed that most staff 'don't communicate security risk with senior executives or only communicate when a serious security risk is revealed.' The reason is that staff have resigned themselves to staying mum due to an environment in which 'collaboration between security risk management and business is poor, nonexistent or adversarial,' or at best, just isn't effective at getting risk concerns up to senior management."

8 of 227 comments (clear)

  1. one-way street by X0563511 · · Score: 5, Insightful

    IT would love to, but upper management doesn't want to hear it.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    1. Re:one-way street by intermodal · · Score: 5, Insightful

      Or, more to the point, they don't understand it even if you try to tell them. And many in upper management, if you communicate the problem, will immediately turn it on you, wanting to know why you haven't fixed it already.

      --
      In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
    2. Re:one-way street by robinsonne · · Score: 5, Insightful

      Exactly.
      Management doesn't want to hear about it.
      Management doesn't understand it.
      Management doesn't want to spend money on it.

      Nothing happens until it becomes an "issue" and then it's somebody in IT who gets the axe while everyone above is covering their asses.

    3. Re:one-way street by JustOK · · Score: 5, Funny

      The risk of this vulnerability is 2.5 Snowdens.

      --
      rewriting history since 2109
    4. Re:one-way street by Anonymous Coward · · Score: 5, Insightful

      For my own experience, having brought security concerns to 'responsible' adults during my formative years in school, I was trained that doing so instantly results in demonization of the messenger. NEVER EVER point out that the emperor has no clothes.

      This is fairly common in schools, and other organizations. How much does this behaviour train people to silently ignore security issues when discovered for fear (often well earned fear) of unjust reprisals for bringing them to the attention of those who are 1) most affected 2) responsible to prevent/fix these issues?

    5. Re:one-way street by NatasRevol · · Score: 5, Insightful

      That sounds like it would help productivity.

      --
      There are two types of people in the world: Those who crave closure
  2. Of course not. by nine-times · · Score: 5, Insightful

    As someone who has been working in IT for almost two decades, I'm not the least bit surprised. There are all kinds of things that we've given up on trying to communicate. People don't want to hear it. They don't understand what you're saying, they don't want to figure it out, and if you can get them to understand, they still don't care.

    In the case of security, it falls into this classification of 'technical things nobody even wants to understand' and also into the classification of 'preventative measures that people will not recognize the importance of, until after it bites them in the ass.' You tell people that it's a bad idea to use "password" as your password, and they'll blow you off. The more you stress the point, the more annoyed the'll become-- all the way up until someone malicious gains access to their accounts. Once they've been hacked, they'll come back angry, demanding, "Why didn't anyone tell me it was a bad idea."

    Until there's an actual security breach, people think you're chicken little. They'll tell you, "I've been using 'password' for my password for 10 years and I've never had a problem."

    Face that kind of attitude for a several years, and you get awfully tired of warning people.

  3. "6% of $1M loss = $60K, can be avoid for $4K" by raymorris · · Score: 5, Insightful

    To take that a step further, it would be interesting to see what happened if those complaining of poor communication emailed their boss saying:

    You may have seen the Forbes and WSJ articles related to the security breach at XYX Corp.
    We are currently at risk for the same type of issue. I estimate a 6% chance of a breach in the next three years which would cost the company around $1 million,
    so we have an actuarial liability of $60,000. If we secure the system, I estimate the risk would be reduced to 3%, eliminating $30,000 of the liability. I estimate the cost as $4,000 to eliminate that $30,000 liability and much of the $1M risk.

    That you you are presenting management with this decision "do we want to save $30,000 by spending $4,000?" That's not too technical, that's exactly
    the decisions they are trained to make.

    Looking at it that way can also teach we engineers something. We might estimate the cost of a breach at $30,000 with a 1% chance of it happening. That's a $300 liability. If it would require 10 man-hours to fix, including meetings and stuff, the company would lose a lot of money trying to fix it. (Remember people cost approximately double their salary, once you pay for health insurance, taxes, their office space, etc.) Management would be "right" to simply accept the risk, knowing that bad might happen, at a cost of $30K. Better to risk a $30,000 problem that probably won't happen than to spend $2,000 avoid it. (Best would be to make a note to fix it in the next version / rewrite, when the _extra_ cost is only 1 man-hour.)