Senior Managers Are the Worst Information Security Offenders

← Back to Stories (view on slashdot.org)

Senior Managers Are the Worst Information Security Offenders

Posted by Unknown on Thursday January 9, 2014 @06:25AM from the security-is-for-little-people dept.

An anonymous reader writes "As companies look for solutions to protect the integrity of their networks, data centers, and computer systems, an unexpected threat is lurking under the surface — senior management. According to a new survey, 87% of senior managers frequently or occasionally send work materials to a personal email or cloud account to work remotely, putting that information at a much higher risk of being breached. 58% of senior management reported having accidentally sent the wrong person sensitive information (PDF), compared to just 25% of workers overall."

181 comments

Min score:

Reason:

Sort:

Seen it on the job: by Hartree · 2014-01-09 06:28 · Score: 5, Informative

This is supposed to be some great revelation?
They're also the ones who can get security policy overridden so that something can be easy for them. Regardless of the problems.
1. Re:Seen it on the job: by Ben4jammin · 2014-01-09 06:38 · Score: 5, Insightful
  
  It will be a revelation to senior management.
  
  They will in fact need reports such as this to recognize the reality that all us IT workers have known for years. See, the fact that you don't understand that is why you are likely not in senior management :)
2. Re:Seen it on the job: by Penguinisto · 2014-01-09 06:52 · Score: 5, Insightful
  
  Sad, but true.
  I remember a CEO of a moderate-sized corp (!?) who didn't see the need for locking down his Blackberry.... until he lost it one night while out on the town. Took me all of five minutes to crawl out of bed and wipe/lock the device remotely via BES, but the funny part was that it took that incident (and a gentle explanation of why I wiped his device - he originally wanted me to "locate" it for him) before he figured out that security was more than just a buzzword that got in his way.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
3. Re:Seen it on the job: by Grey+Geezer · 2014-01-09 06:53 · Score: 4, Funny
  
  Yes, It's not just electronic communication either. A senior manager where my wife once worked wrote the code for the entry door keypad...on the keypad, because memorizing it (or writing it down on a piece of paper he would have to dig out of his pocket) was too much trouble. True story. (I'm sure you all have stories as bad or worse than this one.)
  
  --
  The USA is only 4X older than me...perspective
4. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 06:55 · Score: 0
  
  yep
  just this week i had to make a change to our reporting system to allow people to email any report to anyone just because the manager didn't want the hassle of me giving him permissions to dozens of reports
  and he did one of those screen sharing meetings with me and he had lots of work going to evernote
5. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 07:02 · Score: 0
  
  This is supposed to be some great revelation?
  They're also the ones who can get security policy overridden so that something can be easy for them. Regardless of the problems.
  And have their passwords on a sticky note attached to their monitor.
6. Re:Seen it on the job: by asylumx · 2014-01-09 07:04 · Score: 1
  
  They are also the employees who are more likely to be dealing with secure or private information, so it does stand to reason that they'd be more likely to accidentally share that information.
7. Re:Seen it on the job: by MickyTheIdiot · 2014-01-09 07:06 · Score: 4, Insightful
  
  So the moral of the story is we should all get together and set up a Gartner-like "consulting" firm where we make C*O's pay million dollar consulting fees and (unlike Gartner) they get the common-sense information they can get from any security text book since the C*Os will only listen to advice that they pay a bazillion dollars for. They are mentally incapable of listening to the smart IT guy in their department that they pay $40k a year.
8. Re:Seen it on the job: by i+kan+reed · 2014-01-09 07:07 · Score: 2
  
  Regarding you're sig: if it's a UDP opinion, doesn't that mean you don't want anyone to acknowledge it?
9. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 07:09 · Score: 1
  
  There's a simple reason for it too.
  IT managers who think that they own the network, and try to lock everything down. When an IT manager decides that there's going to be no VPN, and that access to resources from off site is simply banned, it's no surprise that senior management says "no, I'm above you, and I need to do this" and finds a way.
10. Re:Seen it on the job: by AJH16 · 2014-01-09 07:09 · Score: 1
  
  And they are also the ones more likely to be willing to admit it without fear of reprisal.
  
  --
  AJ Henderson
11. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 07:12 · Score: 2, Insightful
  
  Good! Overly locked down IT systems are the cause of this issue. Every time an IT manager locks something down, someone has to find a work around to get their job done. The result, instead of going through a fairly controlled set of internal (but trusting of internal users) systems, the content just gets pushed to external systems as a work around, and a much bigger security issue appears.
12. Re:Seen it on the job: by alen · 2014-01-09 07:14 · Score: 1
  
  in some cases this is a real solution
  imagine an apple employee working via VPN and downloading new code to their home computer and then share it to the world accidentally. or any company working on a new product. or hipaa data
  in these cases there should be a virtual desktop solution or some application front end to do work. my wife has access to some outside of VPN apps to do work with HIPAA data
13. Re:Seen it on the job: by Penguinisto · 2014-01-09 07:22 · Score: 4, Funny
  
  It means I don't particularly worry if anyone does or not. ;)
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
14. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 07:24 · Score: 0
  
  Our higher-ed CIO is guilty of this. First he announces that laptops and PCs are "consumer devices" and shouldn't "need" encryption. He talks about how his work laptops aren't "centrally managed" and don't use encryption - it's just not needed. A few months ago, he decides to try his hand at data analytics, and makes a copy of our student database to one of his laptops, which he takes home with him. I'm thinking it's a matter of time before this laptop gets lost or stolen.
15. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 07:31 · Score: 0
  
  except later on i looked in our logs and found that on average changes to reports were done a few times per month. this was after an email migration when some reports stopped flowing and i had to make some changes.
16. Re:Seen it on the job: by cusco · 2014-01-09 07:32 · Score: 5, Insightful
  
  I work in physical security. Executives are bad, but the absolute worst are doctors. There is a local hospital where the keypad code (1234) for the 'Doctors Entrance' hasn't changed in 23 years, because the doctors refuse to remember their own 4-digit code. Every attempt to change it has resulted in surgeons immediately marching into the executive offices and threatening to quit (really). Even an irate and armed ex-husband entering the hospital through that door didn't convince them. Getting them to use a key card is almost impossible unless they can have one card to leave in the Mercedes, another for the Porsche, and another in their desk that they can retrieve by tailgating into the building. /rant
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
17. Re:Seen it on the job: by Ben4jammin · 2014-01-09 07:33 · Score: 4, Interesting
  
  I once had to remove all the copy codes on all the copiers in the building because apparently the CFO was incapable of memorizing a 5 digit number...I wish I were making this up.
18. Re:Seen it on the job: by CthulhuDreamer · 2014-01-09 07:33 · Score: 4, Funny
  
  The CEO of a company I used to work for claimed the VPN was inconvenient, so he would basically sync our entire file server to his laptop every day - marketing, finance, development projects, the works. His laptops were also constantly being misplaced or stolen, so who know how many copies of everything we had are floating around out there. Every business trip was a major security breach in the making.
19. Re:Seen it on the job: by TrollstonButterbeans · 2014-01-09 07:35 · Score: 0
  
  The IT department is there to support senior management. So it is ok if they don't follow security policy.
  
  Seriously.
  
  Security policy is so a $9/hour drone doesn't screw things up. If a big-wig with a hefty 6 figure check messes up, it isn't the same story.
  
  Film at 11.
  
  --
  Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
20. Re:Seen it on the job: by LVSlushdat · 2014-01-09 07:48 · Score: 3, Funny
  
  Have seen senior managers (CEO-level) saving their daily-to-do's emails in the TRASH!!
  Back in the 90s, the company I worked for at the time, was a Novell+Groupwise shop, and we discovered that the company CEO was saving important email to the Groupwise trash. Found this out when we did a trash purge over a weekend and come Monday morning, CEO's executive assistant was on the phone to support saying that the "big-boss" lost a LOT of important email... I was the foot-soldier on call that day, so I had to run down to his office, and investigate. I had to fight hard to keep from laughing out loud when the assistant (big-wig was out of the office, but assistant had big-wigs password(s)) showed me just WHERE the emails had been stored, after a lot of prodding and question-asking.. Since I knew there had been a Groupwise trash purge over the weekend, I knew exactly where the mail had gone, but hoping against hope that the Novell salvage had not been cleared yet, I called the desk admin, and fortuantly he was JUST getting ready to clear salvage.. I managed to stop him, and we were able to recover the big-wigs email.. Being I was the new-guy, there was NOOOOO way I was gonna tell the CEO and his assistant "you DO NOT PUT EMAIL YOU WANT TO KEEP IN THE TRASH!!!" .. I left that up to my big-boss, the CIO... Needless to say we had many chuckles at the next months team meeting...
  
  --
  THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
21. Re:Seen it on the job: by MickyTheIdiot · 2014-01-09 07:55 · Score: 3, Informative
  
  In Indiana an admin can be held legally responsible if their network isn't properly secure. I understand what you are saying here, but there are professional and sometimes legal reasons something is more secure than an exec wants.
  And while I agree you have your paranoid admins, most admins are struggling just to do basic security that no admin would consider controversial. Like someone else already said... there are many, many papertrails out there so that an admin can show that they attempted to do basic security but they couldn't do it because some big fish in a little pond wanted to be sure he could telnet in from bolivia.
22. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 07:56 · Score: 0
  
  Sounds like you're asking someone to not do their job. You want the legal liability, fine it's on your head. Have fun in prison for violating your government contract and leaking the private information of thousands of people. IT requires that you not be a selfish dick who only thinks of the next financial quarter, yet having foresight to prevent issues before they happen is imposing...and we wonder why the major problems of the world can't be solved.
23. Re:Seen it on the job: by jandrese · 2014-01-09 07:59 · Score: 1
  
  Also, they're not in as much danger of losing their jobs if they admit it.
  
  --
  
  I read the internet for the articles.
24. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 08:02 · Score: 0
  
  They are mentally incapable of listening to the smart IT guy in their department that they pay $40k a year.
  If the IT guy is working for $40k/year then he is probably not very smart.
25. Re:Seen it on the job: by MickyTheIdiot · 2014-01-09 08:12 · Score: 2
  
  Where do you live? You do realize that people live in the states between the two coasts, right? You can have a very sharp IT guy making $40k here and be doing okay.
  But, anyway, you missed the point by picking at example.
26. Re:Seen it on the job: by MickyTheIdiot · 2014-01-09 08:16 · Score: 1
  
  Same thing has happened to me with saving mail in the trash, but luckily it wasn't a CEO and I could say don't do that. He still did it again later.
27. Re:Seen it on the job: by Grishnakh · 2014-01-09 08:18 · Score: 1
  
  Um, this seems wrong. If senior management doesn't like the way the IT manager is running things, then why are they letting him keep his job? If they're above him (i.e., they're his bosses), then they need to either follow his rules, or they need to fire him and replace him someone who does things they way they like.
28. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 08:30 · Score: 0
  
  Regarding you're sig: if it's a UDP opinion, doesn't that mean you don't want anyone to acknowledge it?
  It means he doesn't care if you get it.
29. Re:Seen it on the job: by aaarrrgggh · 2014-01-09 08:32 · Score: 1
  
  It isn't a question of if they can or cannot remember a 5-digit number, they simply can't be bothered to remember it. Security has to be easy/transparent in order to work; it is just that executives have a lower pain threshold. Same net effect as making everyone change unique, secure passwords every week. They WILL end up on a post-it.
30. Re:Seen it on the job: by Sir+or+Madman · 2014-01-09 08:37 · Score: 3, Insightful
  
  And have their passwords on a sticky note attached to their monitor.
  Then stop making up change our passwords every 2 months. We all know that doesn't work anyway.
31. Re: Seen it on the job: by Anonymous Coward · 2014-01-09 08:40 · Score: 0
  
  Still not very smart. Move.
32. Re: Seen it on the job: by Bengie · 2014-01-09 08:44 · Score: 5, Insightful
  
  The value of money is relative to the cost of living. Keep your $100k/year job with $300k house and 3 hours commute. I'll stick with my lower paying job in a smaller town with a $100k house that is much larger than yours and 5 minute commute.
33. Re:Seen it on the job: by multisync · 2014-01-09 08:45 · Score: 2
  
  It will be a revelation to senior management.
  They will in fact need reports such as this to recognize the reality that all us IT workers have known for years.
  
  Yeah, right. Senior management will never read a report titled "Senior managers are the worst information security offenders" on a site called net-security.org, any more than they would read a report at motherjones.com about the disparity between the wages of regular employees and executives.
  
  --
  I don't care why you're posting AC
34. Re: Seen it on the job: by multisync · 2014-01-09 08:49 · Score: 1
  
  Keep your $100k/year job with $300k house and 3 hours commute
  OT, but wow, they sell houses for $300k where you live? I would have trouble finding a one-bedroom condo for $300k in my neck of the woods.
  
  --
  I don't care why you're posting AC
35. Re:Seen it on the job: by whoever57 · 2014-01-09 09:01 · Score: 4, Interesting
  
  It will be a revelation to senior management.
  
  No, it won't. Senior managers are very often less intelligent than the people they oversee. What senior managers possess is greater (but misplaced) confidence in their own abilities and/or some level of sociopathy. These conditions lead to willful bindness of their own failings.
  
  --
  The real "Libtards" are the Libertarians!
36. Re: Seen it on the job: by the+grace+of+R'hllor · 2014-01-09 09:08 · Score: 5, Funny
  
  Move to Detroit. I've seen free-standing houses for less than $5000 on some real estate sites. Plus it's in a colorful, lively neighborhood.
37. Re:Seen it on the job: by slapout · 2014-01-09 09:14 · Score: 3, Funny
  
  So your saying the Financial Officer wasn't good with numbers?
  
  --
  Coder's Stone: The programming language quick ref for iPad
38. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 09:14 · Score: 0
  
  And once they grasp this, it will still be YOUR fault.
39. Re: Seen it on the job: by Anonymous Coward · 2014-01-09 09:27 · Score: 1
  
  Move to Detroit. I've seen free-standing houses for less than $5000 on some real estate sites. Plus it's in a colorful, lively neighborhood.
  If you are seeing houses for 5k then they are probably not condemned and may still have their copper wiring and pipes. The city owns thousands of abandoned properties. They are selling them in batches to not overload themselves. The bad houses that are effectively just the land are going for 1k and the good ones that may be of value are going for 2k. It is a good system to reduce urban blight. Urban gardens are really taking off, and as time goes by this housing project is showing a dramatic change in crime and quality of life for the residents. Granted crime started 3rd world country high and quality of life started almost as bad.
40. Re:Seen it on the job: by jbolden · 2014-01-09 09:31 · Score: 2
  
  Companies aren't a line they are complex web of competing interests more like a society. Lots of people have enough authority to bypass or get special permission for security policies but don't have the power to change them for the whole company or fire the IT security manager.
41. Re: Seen it on the job: by Sedated2000 · 2014-01-09 09:32 · Score: 1
  
  I built a brand new 1850sqft house with all the bells and whistles (granite/hardwood floors) for less than 300K. I live in Hampton Roads, Virginia. My house isn't unusually cheap or expensive for what I got either, it's about middle of the road in price.
42. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 09:34 · Score: 3, Insightful
  
  >If a big-wig with a hefty 6 figure check messes up, it isn't the same story.
  Oh, it's the same story all right, and the big-wig will BLAME IT ON YOU.
43. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 09:53 · Score: 1
  
  In Indiana an admin can be held legally responsible if their network isn't properly secure. I understand what you are saying here, but there are professional and sometimes legal reasons something is more secure than an exec wants.
  I'll call bullshit on this. Link or it didn't happen, unless by legally responsible you mean fired. Because you can be fired for no reason at all too int he US.
44. Re:Seen it on the job: by dcollins · 2014-01-09 10:11 · Score: 1
  
  These words are all crystallized truth.
  
  --
  We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
45. Re:Seen it on the job: by turbidostato · 2014-01-09 11:21 · Score: 1
  
  "Lots of people have enough authority to bypass or get special permission for security policies but don't have the power to change them for the whole company or fire the IT security manager."
  And a lot of times it's simply they *want* the 'statu quo': they want and enforce draconian security for the minions and exceptions for them, both because the draconian security model doesn't work at all, so they really need to bypass it, and because that way it's obvious they are top brass and the other people just minions.
46. Re: Seen it on the job: by jedidiah · 2014-01-09 12:07 · Score: 1
  
  Less than 300K meaning $299,999.99.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
47. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 12:23 · Score: 0
  
  It will be a revelation to senior management.
  
  No, it won't, because they won't be bothered to read this. This will be read by the IT people who already know better than to call out the CEO for doing stupid shit.
48. Re:Seen it on the job: by Anonymous Coward · 2014-01-09 14:23 · Score: 0
  
  One our our higher-ups is adamant that we store project information in Dropbox because using the VPN would just be too much of an inconvenience.
  *sigh*
49. Re:Seen it on the job: by dbIII · 2014-01-09 16:15 · Score: 1
  
  One amusing example I shamelessly exploited was a two digit code on the copier in a University engineering department. Eventually one hundred people had access so any two digit code worked.
50. Re:Seen it on the job: by dbIII · 2014-01-09 16:27 · Score: 1
  
  Have seen senior managers (CEO-level) saving their daily-to-do's emails in the TRASH!!
  I had one of those too but not very high level. He ripped into me about his important stuff vanishing in the lunchroom in front of a lot of witnesses, most (including myself) who were trying not to laugh.
  
  Yet another reason for frequent, good and easily available backups.
51. Re:Seen it on the job: by ObsessiveMathsFreak · 2014-01-09 18:31 · Score: 1
  
  There is a local hospital where the keypad code (1234) for the 'Doctors Entrance' hasn't changed in 23 years, because the doctors refuse to remember their own 4-digit code
  Why is there even a code on the Doctor's enterance in the first place? The Doctor's have enough to be concerned with without someone elses technological "solution" getting in their way.
  
  --
  May the Maths Be with you!
52. Re:Seen it on the job: by The+Wild+Norseman · 2014-01-09 22:23 · Score: 2
  
  Why is there even a code on the Doctor's enterance in the first place? The Doctor's have enough to be concerned with without someone elses technological "solution" getting in their way.
  Exactly. Doctors do not need a coded door; they just need a body of water to walk on.
  
  --
  "A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
53. Re:Seen it on the job: by jbolden · 2014-01-09 23:09 · Score: 1
  
  True, there can be a totalitarian / political aspect to it often as well even when there is a clear hierarchy.
54. Re: Seen it on the job: by Anonymous Coward · 2014-01-09 23:56 · Score: 0
  
  It certainly does work. Do you KNOW how many accounts I would still have access to, if I Wanted to use them, at my old job because they 1. insisted on telling me their passwords when I didn't want them and 2. didn't change them.
55. Re: Seen it on the job: by Anonymous Coward · 2014-01-10 00:02 · Score: 0
  
  In Massachusetts, at least, he would have just committed a misdemeanor.
56. Re:Seen it on the job: by cusco · 2014-01-10 02:55 · Score: 1
  
  Really? Where do I start? Does someone have a clue-stick I can whack the poster with?
  Hospitals have areas that are off-limits to patients and public, for very, very good reasons. In most places that have a side staff entrance it opens into the off-limits area.
  Doctors generally have plenty of cash and high-limit credit cards, tend to carry expensive toys around with them, and an awful lot of them also carry around drugs of various types. They don't need some random meth-head robbing them in their lounge.
  Hospitals (and most other large facilities) need to be able to lock down all the exterior doors in case of an emergency, while still allowing access to staff. My customers have had to deal with situations like irate armed ex-husbands, influenza pandemics, a plane crash, and a bunch of gang-bangers who wanted to finish off they guy they had only wounded in the drive-by.
  I'll stop here, have to go do something useful. There are plenty more reasons, like discounts from their insurance carriers, that could be added.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
57. Re:Seen it on the job: by Anonymous Coward · 2014-01-10 03:18 · Score: 0
  
  You may or may not understand: In most states, hospital and medical practices (even med practice corporations) can *only* be run by physicians. The absolute top management of the Medical Industry has traditionally been only physicians. Which makes sense: You really *don't* want a bean counter making business decisions that dictate patient care.
  The Medical Industry has catered to physicians, by necessity and because it made sense for the sake of the patient.
  That has shifted. Insurance now controls the socio-medical complex, ameliorated only by mega-hospital complexes. Obamacare has and will accelerate that. Good that physicians increasingly must must now toe lines of security. Bad that your care will now be controlled by Senior Executives of the Insurance industry.
  Anyway, most of the Senior Executives in medicine were doctors.
  captcha: fumble
58. Re: Seen it on the job: by Sedated2000 · 2014-01-10 07:42 · Score: 1
  
  No, around 265K
59. Re:Seen it on the job: by hairyfish · 2014-01-10 10:30 · Score: 1
  
  Well clearly it does since you ack'd a response :)
60. Re:Seen it on the job: by hairyfish · 2014-01-10 11:11 · Score: 1
  
  It's ironic because what you just wrote just describes your average IT nerd too...
Shocking... by fuzzyfuzzyfungus · 2014-01-09 06:29 · Score: 4, Insightful

Who would have thought that immunity from consequences would lead to carelessness?
1. Re:Shocking... by Anonymous Coward · 2014-01-09 06:40 · Score: 0
  
  Who would have thought that Senior Managers are more prone to Senior Moments?
2. Re:Shocking... by i+kan+reed · 2014-01-09 07:08 · Score: 1
  
  [Insert generic dig at the financial industry here]
3. Re:Shocking... by bill_mcgonigle · 2014-01-09 07:25 · Score: 1
  
  What, "incentives matter"? These days that's enough to get you labeled an anarchist.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
1984 by Anonymous Coward · 2014-01-09 06:31 · Score: 0

It all boils down to "who is watching the watcher".
1. Re:1984 by Anonymous Coward · 2014-01-09 06:44 · Score: 0
  
  No, I think you mean "I am the walrus"
2. Re:1984 by MickyTheIdiot · 2014-01-09 07:08 · Score: 1
  
  goo goo g'joob
3. Re:1984 by tqk · 2014-01-09 12:22 · Score: 1
  
  Coo coo cachoo, surely.
  
  --
  "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
Maybe by Anonymous Coward · 2014-01-09 06:32 · Score: 3, Insightful

58% of senior management reported having accidentally sent the wrong person sensitive information (PDF), compared to just 25% of workers overall."
Statistics like this are meaningless unless you know how often senior management is sending out information that requires filtering out sensitive information versus general workers. I would expect a CEO to send out more info than the mail clerk and hence a higher chance of sending out sensitive info.
1. Re:Maybe by Anonymous Coward · 2014-01-09 06:36 · Score: 0
  
  It's reasonable to expect more competence and more caution from someone who is paid millions.
2. Re:Maybe by SJHillman · 2014-01-09 06:47 · Score: 3, Insightful
  
  "Senior management" doesn't always equate to "paid millions". I work at a medium sized company, around 1000 employees, but of the 20 or so individuals that would qualify as "senior management", only two of them are "one-percenters", and neither of them is even close to a half million in salary. Sure, they're paid more than the rest of us but for most companies, the difference isn't nearly as vast as you seem to imagine it to be.
3. Re:Maybe by Anonymous Coward · 2014-01-09 06:52 · Score: 0
  
  It's reasonable to expect more competence and more caution from someone who is paid more in general.
4. Re:Maybe by Penguinisto · 2014-01-09 06:58 · Score: 2
  
  Seriously? The average CEO salary is nowhere near "millions". You only find that kind of cheddar in the Fortune 500 companies, and even then you'd often have to count stock options into the total.
  Hell, in the last two companies I worked in, the School Board Superintendent of Portland, OR made more ($250k) than either of them (~$150k and $175k, respectively).
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
5. Re:Maybe by Anonymous Coward · 2014-01-09 07:01 · Score: 0
  
  It's reasonable to expect more competence and more caution from someone who is paid more in general.
  You are funny
6. Re:Maybe by loufoque · 2014-01-09 07:03 · Score: 1
  
  For small-medium companies, the CEO is only paid 150k to 350k.
7. Re:Maybe by queazocotal · 2014-01-09 07:03 · Score: 1
  
  Quite.
  But - if the senior managers are dealing with 100* the sensitive material that a normal employee does - then their rate is very considerably better indeed.
  They only need to deal with four times as much sensitive information to do twice as well.
8. Re:Maybe by MickyTheIdiot · 2014-01-09 07:08 · Score: 1
  
  No.. he just still believes the propaganda.
9. Re:Maybe by MickyTheIdiot · 2014-01-09 07:09 · Score: 1
  
  which is STILL more than the guy doing all the work.
10. Re:Maybe by bsolar · 2014-01-09 07:19 · Score: 1
  
  You assume that these manager are not being more competent/cautious but the provided statistics are not enough to infer that.
  Some lower-raking workers might have to send out sensitive informations only sporadically or even not allowed to send out sensitive information at all while a manager might have to send out sensitive information on a daily basis. This means that the manager will make much more errors than the lower-raking worker even if they are equally competent/cautious and maybe even if he is actually more competent/cautious.
11. Re:Maybe by Spazmania · 2014-01-09 07:21 · Score: 1
  
  They aren't paid more because of their caution.
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
12. Re:Maybe by bsolar · 2014-01-09 07:26 · Score: 1
  
  In small companies the CEO might even be "one of the guys doing all the work" and might even be one of the best at it.
13. Re:Maybe by loufoque · 2014-01-09 07:28 · Score: 2
  
  A CEO typically does 80-hour weeks, and has a sufficiently good understanding of the product and the market that he managed to make a business with it.
  Do you seriously think that it's a problem that he's paid marginally more than his employees that do 40-hour weeks and don't directly contribute to bringing money inside the company?
14. Re:Maybe by jmcvetta · 2014-01-09 08:13 · Score: 1
  
  I call BS on the claim that CEOs typically work significantly longer hours than their employees. I've never once observed this first-hand at any company I have worked with. Also some CEO activities such as going to fancy dinners with clients, while perhaps important to the company, are closer to leisure than to work.
15. Re:Maybe by MickyTheIdiot · 2014-01-09 08:19 · Score: 1
  
  Actually, I don't have a problem with a CEO getting paid marginally more, but the numbers of employees "not bringing money inside the company" tend to be a lot smaller than the executive-worshiping culture likes to admit. Plus I don't believe any employee is 300 times more valuable than any other, but then I am a dirty hippie, eh?
16. Re: Maybe by loufoque · 2014-01-09 08:21 · Score: 1
  
  Try funding your own company and you'll see.
17. Re:Maybe by Grishnakh · 2014-01-09 08:24 · Score: 1
  
  Here in New Jersey, all the school board superintendents make around $250k. What's really interesting is that just about every little town and municipality has its own, separate school board, so a typical "school district" probably only comprises 2 or 3 schools (elementary, middle, high school). Yet each one has its own superintendent and associated bureaucracy, with lots of administrators making huge salaries and getting generous retirement pensions. This is a big reason why the property taxes in this state are the highest in the nation.
18. Re:Maybe by operagost · 2014-01-09 08:37 · Score: 1
  
  So you assume that senior managers do no work?
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
19. Re:Maybe by Anonymous Coward · 2014-01-09 09:22 · Score: 0
  
  So you assume that senior managers do no work?
  And you have evidence that they do?
20. Re:Maybe by Anonymous Coward · 2014-01-09 09:47 · Score: 0
  
  Small business employee here. Our owner is easily the hardest working member of the staff.
21. Re:Maybe by Pope · 2014-01-09 09:49 · Score: 1
  
  They do, they're just not at the office, they're at home.
  And going to "fancy dinners with clients" is about networking: keeping current clients happy and trying to get new ones. You know, to produce income?
  
  --
  It doesn't mean much now, it's built for the future.
22. Re:Maybe by afidel · 2014-01-09 09:58 · Score: 1
  
  The median compensation for CEO's of publicly traded companies in 2011 was $9.6M source.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
23. Re:Maybe by Penguinisto · 2014-01-09 10:06 · Score: 1
  
  Counting only publicly-traded companies is cherry-picking, me lad.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
24. Re:Maybe by afidel · 2014-01-09 10:10 · Score: 1
  
  It's the only actual data available, only the IRS would have the information for privately held companies.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
25. Re:Maybe by jmcvetta · 2014-01-09 10:13 · Score: 2
  
  And going to "fancy dinners with clients" is about networking: keeping current clients happy and trying to get new ones. You know, to produce income?
  As said, it may well be quite valuable to the company. But it is nevertheless more similar to leisure than to labor.
26. Re: Maybe by Anonymous Coward · 2014-01-09 12:09 · Score: 0
  
  Why?
  Competence has never been correlated with salary. Firstly salary is a function of demand. And secondly a function of sociopathy with the end goal being allowed to set your own salary.
27. Re:Maybe by sjames · 2014-01-09 12:52 · Score: 1
  
  In theory, yes. In practice, expect a toddler with a gun scenario.
28. Re:Maybe by Anonymous Coward · 2014-01-09 12:55 · Score: 0
  
  So... not very good managers then? After all, in the "new order", only the amount of money and bonuses you get are important. Respect, experience, wisdom, all just tools for fools.
  Or so I've heard.
29. Re:Maybe by Anonymous Coward · 2014-01-09 13:27 · Score: 0
  
  It's hard to comprehend how NJ has that much bureaucracy. I find that things are usually pretty lean that close to local service delivery. It's the back end that gets porky. For example, the province of Ontario's Ministry of Education has added 10,000 out-of-classroom jobs in the last 10 years, and I can't see that they've had any contribution. Meanwhile, class sizes were allowed to grow (during many years of politicians crowing about lower class sizes).
30. Re:Maybe by KramberryKoncerto · 2014-01-09 14:22 · Score: 3, Insightful
  
  While it's often easier in certain ways than doing "real" work, it's also less of a leisure activity than it seems. One could be anxious that he didn't kiss enough asses, for example. I know I hate it.
  For most people it's already troublesome to meet people all the time for business, especially when you don't always enjoy their company. A lot of these CEOs would rather spend time with their family, actual friends or perhaps mistresses. Some, though, can find themselves enjoy the act more than other work, while still treating it seriously and develop actual skills for it. Arguably we can say the same about coders who like to code.
31. Re:Maybe by dbIII · 2014-01-09 16:33 · Score: 1
  
  That combined with all the cuts is starting to explain why children in Nigeria are starting to get a better grounding than a lot of children in the USA.
32. Re:Maybe by dbIII · 2014-01-09 16:35 · Score: 1
  
  A CEO typically does 80-hour weeks
  Only if they count playtime as work.
  A small business owner is likely to do those 80 hour weeks. A CEO not so much.
33. Re:Maybe by DeSigna · 2014-01-09 23:01 · Score: 2
  
  Getting a bit OT here, but I have not worked at a single company where the CEO/Managing Director/whatever did not work at least 2x the number of hours of practically everyone else.
  For my current boss, stock market dabbling is leisure. Wining and dining whiners and strategic customers can be fun but it means he doesn't get spend time with the wife or golfing or just chilling in front of the TV. He's in at 5am checking projections and talking with vendors/big customers, regularily leaves at 4pm to go to business and networking seminars until late at night, or is just in the office until 6-7pm.
  He's in his sixties, this is an established business that's been around for decades. Would you have the energy to build something like that from the ground up? I don't. He did. If he wants to relax a bit and drop the average back to a low 70-odd hours a week, good for him.
34. Re:Maybe by jmcvetta · 2014-01-10 05:34 · Score: 1
  
  Different experiences, I guess. I've never worked with a company where the CEO worked even a bit longer than the average employee.
  And honestly, your example with the CEO of a well-established company sounds more like an unfortunate example of bad time management and/or a desire to avoid his personal life, than an admirable example of hard work.
Unexpected? by Anonymous Coward · 2014-01-09 06:33 · Score: 0

I do not think it means what you think it means.
Sampling bias by SirGarlon · 2014-01-09 06:43 · Score: 3, Insightful

Senior managers *should* exchange a lot of communication with a lot of people. That creates more opportunities for a mistake. A rational policy would be for the people who most commonly transfer important information to have the best security tools and training.
But nah, let's not educate the executives on how to safely handle critical data, because they should know without being told and it feels so good to laugh at them when they make a mistake.

--
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
1. Re:Sampling bias by Attila+Dimedici · 2014-01-09 06:47 · Score: 2
  
  Who exactly is going to educate these executives? The people being talked about in this article generally outrank in the corporate hierarchy the people who teach everybody else to maintain information security, on pain of being fired.
  
  --
  The truth is that all men having power ought to be mistrusted. James Madison
2. Re:Sampling bias by SJHillman · 2014-01-09 06:48 · Score: 1
  
  Have you ever tried to educate a senior exec? Sure, there's a few good ones out there, but for the most part you may well try teaching a dead dog to fetch your slippers.
3. Re:Sampling bias by Trepidity · 2014-01-09 06:52 · Score: 4, Insightful
  
  Trying to get them to follow any kind of IT policy is nearly futile as well. Many recognize the need for an IT policy in the abstract, and will be happy to sign off on something that the average worker has to follow, but they see themselves as a special case that needs more freedom to operate as they see fit.
  
  --
  10 PRINT CHR$(205.5+RND(1)); : GOTO 10
4. Re:Sampling bias by Penguinisto · 2014-01-09 07:01 · Score: 1
  
  But nah, let's not educate the executives on how to safely handle critical data, because they should know without being told and it feels so good to laugh at them when they make a mistake.
  Yeah, I know - sarcasm... but educating a CxO isn't as hard as you think - the only real trick is to carve enough time out of them to do it.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
5. Re:Sampling bias by Anonymous Coward · 2014-01-09 07:05 · Score: 0
  
  In fairness to everyone, the average IT policy is a collection of "best practices" that have no foundation in reality and are chosen by the IT staff because it's the easiest pseudo-security to implement. This is usually done with no input from the rest of the organization except the vaguely worded policy approved by someone who only skimmed it.
  If you want a security policy to work, you have to start by discussing the costs vs. dangers of business as usual and each change you want to make. You need to have that discussion with those who will be effected, and you have to be ready to suggest at least three levels of paranoid defense for each problem, all with preliminary price estimates (and example costs of insecurity).
6. Re:Sampling bias by MickyTheIdiot · 2014-01-09 07:10 · Score: 1
  
  Try to "educate" a "big picture" C*O guy on this and then re-edit your comment.
7. Re:Sampling bias by SirGarlon · 2014-01-09 07:10 · Score: 1
  
  I don't report to senior executives, so no. But if I did, and they wouldn't listen to my ideas for how to minimize corporate espionage and massive data breaches, I would start looking for a new job where my professional skills were valued.
  
  --
  [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
8. Re:Sampling bias by MickyTheIdiot · 2014-01-09 07:13 · Score: 1
  
  I guess I have Sampling Bias too, but ever time I have tried to do this I have been accused of trying to hold the organization back. I have had a lot of bad mangers in my career I admit, and most of them equate their own convenience with "doing what is right for the organization."
9. Re:Sampling bias by msobkow · 2014-01-09 07:17 · Score: 2
  
  "Let's not educate the executives?"
  Clearly you have never tried to "educate" an executive. Their inevitable response is "I need to do this", and to make you responsible for preventing the damage they risk and cause. It's the email administrator's fault that the email system let them send that financial report to the wrong people, dontcha know.
  
  --
  I do not fail; I succeed at finding out what does not work.
10. Re:Sampling bias by Spazmania · 2014-01-09 07:27 · Score: 1
  
  Some have simply given up on trying to force the general-case IT policy to be useful. They "solve" the usability problem for their specific case by ignoring IT and using outside tools over which IT has no control.
  "IT goon: Business comes first. We're here to support your business!"
  "Me Great! We build software systems based on open source, so our developers need access to github."
  "IT goon: Sorry, that's a file sharing site. Using it is against policy."
  'Me: You said business first. Our business uses open source software from github."
  "IT goon: That's right! Business first! Just no file sharing sites."
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
11. Re:Sampling bias by Anonymous Coward · 2014-01-09 07:33 · Score: 0
  
  If you want a security policy to work, you have to start by discussing the costs vs. dangers of business as usual and each change you want to make. You need to have that discussion with those who will be effected, and you have to be ready to suggest at least three levels of paranoid defense for each problem, all with preliminary price estimates (and example costs of insecurity).
  And the first time the CEO tries to watch porn after implementing your newly specced out security policy, do you think he's going to give a damn?
12. Re: Sampling bias by Anonymous Coward · 2014-01-09 08:04 · Score: 0
  
  Watching porn at work should be handled by some sort of employee conduct policy. If you are handling it with your IT security policy, your IT security policy is broken.
13. Re:Sampling bias by Anonymous Coward · 2014-01-09 08:42 · Score: 1
  
  Senior managers *should* exchange a lot of communication with a lot of people. That creates more opportunities for a mistake. A rational policy would be for the people who most commonly transfer important information to have the best security tools and training.
  But nah, let's not educate the executives on how to safely handle critical data, because they should know without being told and it feels so good to laugh at them when they make a mistake.
  I wish they would listen. I've tried discussing security with senior management and have literally been told, "I don't understand the need for all this nerdy stuff." He continued ignoring policies.
14. Re: Sampling bias by Anonymous Coward · 2014-01-09 09:38 · Score: 0
  
  anonymously report the porn watcher to HR along with irrefutable logs showing the access then sit back and watch the fun. especially if it's a pointy headed boss doing the pr0n...
15. Re:Sampling bias by Anonymous Coward · 2014-01-09 09:58 · Score: 0
  
  Some have simply given up on trying to force the general-case IT policy to be useful. They "solve" the usability problem for their specific case by ignoring IT and using outside tools over which IT has no control.
  "IT goon: Business comes first. We're here to support your business!"
  "Me Great! We build software systems based on open source, so our developers need access to github."
  "IT goon: Sorry, that's a file sharing site. Using it is against policy."
  'Me: You said business first. Our business uses open source software from github."
  "IT goon: That's right! Business first! Just no file sharing sites."
  So tell him to set it up with automated and distributed backups, including a test restore plan and implementation test instead. Or set it up in a VM yourself.
16. Re:Sampling bias by Anonymous Coward · 2014-01-09 09:59 · Score: 0
  
  yeah, sure you would. You don't even have access to the 2nd floor elevator and your talking like your from the planet krypton.
  That being said, the junkyard still has respect for a guy that can lift a 21" CRT. -- knock yourself out.
17. Re: Sampling bias by Anonymous Coward · 2014-01-09 13:36 · Score: 1
  
  And this is the core problem. IT security is ignored because we put into place stupid policies. Porn isn't a security issue in and of itself. It may be correlated with malware, but the malware is the issue, not the porn.
  Similarly we require random password changes. We put so much shit for backups and virus scanning on peoples computers that they slow to a crawl. And we spend billions for security on systems that nobody would hack into because in practice nobody wants the data. Etc etc.
18. Re: Sampling bias by Anonymous Coward · 2014-01-10 00:13 · Score: 0
  
  Most crackers nowadays just want the cycles, not the data, Nimrod.
19. Re:Sampling bias by Spazmania · 2014-01-13 00:26 · Score: 1
  
  You understand github is an internet site while git is a piece of software, right?
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Why is this surprising? by megla · 2014-01-09 06:52 · Score: 1

Senior management frequently consider themselves exempt from just about all company policies which apply to the lower ranks, it shouldn't be too surprising to find that IT security policy is among the ones they feel are below them.
1. Re:Why is this surprising? by Anonymous Coward · 2014-01-09 08:07 · Score: 0
  
  Maybe that's because a) they *make* the policy and b) they *are* above it?
I'm guilty of this and I'm not even senior. by ip_freely_2000 · 2014-01-09 06:53 · Score: 1

Work is expected to get done over a weekend so I take it home.
1. Re:I'm guilty of this and I'm not even senior. by sandytaru · 2014-01-09 07:09 · Score: 1
  
  So work hasn't assigned you a work laptop, or at the very least, given you a VPN so you can get into a secured network to get your files? Not even OWA or the other open source equivalents on the work network to email yourself at the work address instead of sending it to an unsecured third party email?
  
  --
  Occasionally living proof of the Ballmer peak.
"Ram it through" by chispito · 2014-01-09 06:54 · Score: 1

Need anything else be said?

--
The Daddy casts sleep on the Baby. The Baby resists!
anybody on a Helldesk can testify to this by swschrad · 2014-01-09 06:56 · Score: 3, Funny

"I am the Senior Vice-Neutron for Intracorporation Multinational Reassignment! You must open port 23 at once so I can check my stocks!" who hasn't heard something like that?

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
1. Re:anybody on a Helldesk can testify to this by cusco · 2014-01-09 07:47 · Score: 4, Informative
  
  Having to unblock AOL so that the marketing exec could send/receive company documents to his personal email account was annoying. The subsequent flood of spam was the only thing that let my boss get away with blocking AOL again. The marketing exec was surprised at our reaction, he just thought that was the way email systems were supposed to be.
  This was the same idiot who needed his laptop reinstalled three times in four months when he installed the latest version of AOL's client software the same day it was released.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
2. Re:anybody on a Helldesk can testify to this by Anonymous Coward · 2014-01-09 07:58 · Score: 0
  
  We have a very similar problem with a guy that insists on surfing Indian search engines for porn.
  This is what "AC" posts are really for...
All to true by Anonymous Coward · 2014-01-09 06:59 · Score: 0

I have to deal with this from several Exec VP's. They just do not understand and refuse to listen. Thankfully I have a nice long paper trail protecting my ass.
O RLY? by Professr3 · 2014-01-09 07:01 · Score: 0

"In other news, some news that isn't news"
"Accidentally" by gmuslera · 2014-01-09 07:01 · Score: 1

Like sending AWS/rackspace management passwords in plain text by email. If you choose to drive drunk because you know better and kill someone is not an accident anymore.
Friggin crazy by Spiked_Three · 2014-01-09 07:03 · Score: 1, Interesting

This is total BS. The Slashdot summary of the article anyhow.

As a senior, but with practical security experience, plenty of it, I can tell you what is happening is the younger crowd are FAR more likely to lie about having sent business information. The older one gets, the less they care about lying to cover their ass.

Secondly I will say that in every job I worked, I knew a lot more about security than the company did. An exception might be the companies that specifically hired me, to breach security at their companies, as proof their college educated certified IT people were clueless. Someone on the board of those companies knew the difference between book smart and actually smart.

Great example; the white house;
me: why does CICS have all these storage violations everyday?
OPM: oh they are nothing, just program bugs
me: no, they are storage violations. You can't tell the difference between a program bug and someone intentionally going after info.
OPM: your fired.
Guess what news story was next to be covered up and swept under the rug?

Bosses, senior or not, who do not want to hear bad news is what leads to things like the Healthcare rollout fiasco. And they are the #1 security problem in I.T. as well.

--
slashdot troll = you make a compelling argument I do not like the implications of.
1. Re:Friggin crazy by Anonymous Coward · 2014-01-09 09:15 · Score: 0
  
  OPM: your fired.
  That's because he found out you lied about that college degree, the cat was out of the bag when you wrote that email saying "OK, will do, your the boss".
2. Re:Friggin crazy by Spiked_Three · 2014-01-09 15:54 · Score: 1
  
  Back then, didn't have to lie about it. People where more interested in what you knew, as opposed to how much money you paid for a piece of paper. But yeah, it was right around the time that was changing, so maybe that's it.
  
  --
  slashdot troll = you make a compelling argument I do not like the implications of.
3. Re: Friggin crazy by Anonymous Coward · 2014-01-10 00:18 · Score: 0
  
  Snowden-tovarisch, is that you? Go back to gulag!!!
So, your company has no AUP? by sl4shd0rk · 2014-01-09 07:09 · Score: 1

You job as a security wank is to get the policies straight and give them to management to disseminate and get signatures on. Presumably, management has signed off on these just like everyone else. After that, it's mostly an HR problem.

--
Join the Slashcott! Feb 10 thru Feb 17!
1. Re:So, your company has no AUP? by dbIII · 2014-01-09 16:39 · Score: 1
  
  Yep, HR sorts out the firing if you make too much noise about a senior manager breaking the policy or if the manager thinks you will do so.
  I'm very happy that I'm in a small enough place now that incompetence has nowhere to hide.
Bad analysis (total amount vs. frequency) by Anonymous Coward · 2014-01-09 07:13 · Score: 0

While there probably is some truth behind this, the given statistics are near worthless.
Judging by the absolute number of mistakes (ie "have you even made mistake X?") naturally makes those who have been working longest most probable of being guilty. By this standard interns in their 1st day of work ever are the ultimate example of data security. They have not had a chance to goof up!
Epic facepalm moments by Solandri · 2014-01-09 07:17 · Score: 4, Interesting

A former boss of mine had a bad habit of hitting Reply instead of Compose when writing new emails. I noticed I'd get emails from her which were totally unrelated to the mail she'd hit Reply on. I warned her several times that that could be dangerous since hitting reply automatically includes the previous email(s) as a quote.

Then one day it happened. She decided to send out a mass email to all staff, and composed it by hitting Reply on one of my emails. I got into work, checked my email, and did the biggest head-desk of my life. She had replied to one of my emails where we'd been discussing employee bonuses and pay raises, including extensive deliberation over what we were going to tell certain employees in their annual performance review. That lengthy discussion was quoted and got sent to the entire staff. Fortunately the damage wasn't as severe as it could have been - the four employees we'd discussed in the email thread were all good employees so most of our comments had been positive.

On the up side, it broke her habit. She never composed a new email by hitting Reply again.
1. Re:Epic facepalm moments by operagost · 2014-01-09 08:40 · Score: 1
  
  Let me guess: Lotus Notes? I can't think of any other program that wouldn't make it obvious that the previous email was being quoted.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
2. Re:Epic facepalm moments by 140Mandak262Jamuna · 2014-01-09 09:45 · Score: 1
  
  Nah, even gmail hides all the previous thread under a tiny icon that has three dots.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
3. Re:Epic facepalm moments by ToddInSF · 2014-01-10 06:24 · Score: 1
  
  What I've always told my clients is this:
  
  If it's important enough to keep private, don't have it on your computer...
  
  Employee bonuses discussed via emails ? Really ?
"Unexpected"? by grasshoppa · 2014-01-09 07:23 · Score: 1

Maybe by other senior managers.

--
Mod me down with all of your hatred and your journey towards the dark side will be complete!
In other news... by sconeu · 2014-01-09 07:42 · Score: 1

The Sun is hot.
Water is wet.
Politicians lie.
Film at 11.

--
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Upper management gets special treatment by GodBlessTexas · 2014-01-09 07:43 · Score: 1

At my last job, upper management had different password strength requirements because they couldn't handle the normal ones designed to make them use secure passwords. Instead of 8 characters minimum with at least one capital letter, number and special character, they simply got away with 8 characters. Why? Because they complained enough, couldn't remember their passwords, and had the power to exempt themselves.

--
Remember the Alamo, and God Bless Texas...
1. Re:Upper management gets special treatment by operagost · 2014-01-09 08:47 · Score: 1
  
  It's kind of like admitting you're less intelligent than the employees. Not what I'd care to do.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
2. Re:Upper management gets special treatment by jbmartin6 · 2014-01-09 09:14 · Score: 2
  
  I call this the 'Executive Paradox'. At least on paper, the exec's time is extremely valuable. So if he is trying to bring up a presentation to say the Board of Directors (whose time is also extremely valuable) and has a password problem, a lot of extremely valuable time is wasted. So it is a lot riskier to impose security controls on senior managers than it is on lower level folks whose time isn't quite as valuable. The risk of a breach resulting from executive policy exceptions has to be weighed against the cost of any controls that result in wasted executive time.
  
  --
  This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
3. Re:Upper management gets special treatment by dbIII · 2014-01-09 16:45 · Score: 1
  
  There are ways around that such as the XKCD "correct horse battery staple" example. They may think you are weird (yes, kiss of death in some workplaces but in others IT is expected to be weird) but it gets the job done properly.
4. Re:Upper management gets special treatment by dbIII · 2014-01-09 16:49 · Score: 1
  
  a lot of extremely valuable time is wasted
  If your job is secure it's worth suggesting timed toilet breaks to people who take that line.
  
  A boss is a boss and not someone with the divine right of kings.
of course, they're useless by thetoadwarrior · 2014-01-09 07:52 · Score: 0, Offtopic

Nearly every single problem with a company can be attributed to the managers, especially senior managers. They're useless leeches.
Hardly a revelation... by Anonymous Coward · 2014-01-09 08:04 · Score: 1

Things I've seen managers request in some of my former places of employment:
1) All passwords on the network were to be "standard". There were some minor differences in the passwords depending on the user, but for the most part, they were all XXX1234. With XXX being the initials of the user and the digits being the hire date or some such. No big deal normally, except that every employee had to display an ID card that had their name and hire date.
2) "Free software" would not be allowed. Consequently, an out-of-date and broken public key encryption tool was mandated instead of GPG.
3) HR Manager demanded that a share be opened up to a particular group because his team needed to share files. Rather than creating a smaller group and allowing that small group, he demanded that the existing group be used. Consequently, the employee salary information was visible to almost everyone with a login. This one was particularly annoying because he insisted that the job of IT was not to dictate policy, but to implement policy. I.e., IT would need to transparently keep the logins secure even with open access. This was a big deal at the time because of a notion that good computer interfaces meant that the computer changed to accommodate the user and not vice versa.
4) Manager surfed porn from operations PC. This was fun. I was in support at the time. Loss Prevention called and asked for me. I was worried. While the guilty manager was there, they had me pull up the browser history and system logs. The image cache was particularly interesting. I tried to be as diplomatic as possible.. "OK.. The log shows that someone with ID xxxxxx logged into the computer at 1:30AM. At 1:35AM, Internet Explorer was opened with that account. The logs show that this ID then visited the following sites..." Etc.. etc.. Can you see what was on those pages? "I can tell you the URLs but I don't recommend visiting the site." What sort of sites? Then the list of porn sites followed.. Weird, bizarre stuff.
I'm posting this as Anonymous because I still work at one of these places...
Limited Options by Anonymous Coward · 2014-01-09 08:04 · Score: 1

At my workplace our IT team has a policy about using cloud services like Dropbox for security reasons. Will our IT team consider rolling cloud storage on our own servers? Nope. Their solution is to use a flash drive. While many just outright violate the policy to get work done, I have done as they suggested and use a flash drive. To date I have lost (and quickly recovered) it 3 times.
Given them a dashboard app instead of access by perpenso · 2014-01-09 08:17 · Score: 1

They're also the ones who can get security policy overridden so that something can be easy for them. Regardless of the problems.
That is why you develop "dashboard applications" for their computer or phone that gives them the overview that they want, it pre-empts them from asking for access to the actual data. The data can be accessed and summarized by the server side software that only send the summary info needed for graphics and labeling on the client app.
1. Re:Given them a dashboard app instead of access by tqk · 2014-01-09 12:19 · Score: 1
  
  That is why you develop "dashboard applications" for their computer or phone that gives them the overview that they want ...
  ... And the ship runs into an iceberg floating by and sinks anyway since nobody thought to look out a porthole from time to time. I'm sure I've heard this one before.
  
  --
  "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
2. Re:Given them a dashboard app instead of access by sjames · 2014-01-09 12:49 · Score: 1
  
  Found one
Well, Yes... that is correct... by Anonymous Coward · 2014-01-09 08:22 · Score: 0

...it has also been well known for the past 25 years.
And more by jasper160 · 2014-01-09 08:57 · Score: 1

From my experience they are also the biggest violators of porn , intentional breaking of assets to get a newer one, and keeping hardware on departure. When I was a DOD sysadmin all of our spillages (accidental classified material leakage) in a 10k person command were caused by O4's and above. Like the corporate world nothing happened except some long days and nights for the sysadmins to wipe all the systems, backups, and applications that touched the data. I sure if some lower enlisted person did it they would be toasted.

--
No good deed goes unpunished.
Senior Managers Are the Worst by Anonymous Coward · 2014-01-09 09:10 · Score: 0

tl;dr
do yo u really think senior mgmt will read a book? by logicassasin · 2014-01-09 09:13 · Score: 2

what land is this you live in?
No, seriously upper management has ALWAYS been the bane of anything IT related. Every boneheaded request, every response of "well, why can't I do that?" or "... it would just be easier for me that way..." always comes from senior management and no matter how many times you tell them why it has to be done a certain way, they just don't get it.

--
Fifty watts per channel, baby cakes.
So about the technical solution? by Anonymous Coward · 2014-01-09 09:14 · Score: 0

Fellow IT guy. So management can't find their butt without two interns and a conference call? Well, good to see I'm not crazy. Got any studies about what happens to technical folks who either strike out on their own or at least refuse to work with the observably incompetent? Could we just wash our hands of these people?
Just try ... by PPH · 2014-01-09 09:19 · Score: 2

... telling the top brass that they can't take their laptop home to play with. And hand over to the kid to play with. And let the kid download warez.
When that thing comes back the next Monday morning, its been totally pwned by any number of evil doers.

--
Have gnu, will travel.
Yeah, right. That would NEVER happen at CIA by Anonymous Coward · 2014-01-09 09:31 · Score: 0

"Top Secret. SCI. ORCON. NOFORN. Oh! Naked Asian babes!" — John Deutch.
Seniority in management or age? by 140Mandak262Jamuna · 2014-01-09 09:40 · Score: 3, Insightful

Most senior managers are also older than general population. At least some of them came of age before the PC era, mostly during e-mail era. The older folks really do not understand how computers work, or how the networks are secured or how much damage an intruder into their network can do. So we can blame at least part of the problem to their age, than management.
Also most senior managers have flunkies, sidekicks and general assistants who do most of the errands for them. Some of them are not capable of doing very simple things like booking all the things needed for a vacation package over the internet.
Add to this the sense of entitlement and belief that they are really really smart because otherwise how can you explain the free markets bestowing upon them huge salaries? They must be smart there is no other explanation in their mind. So they get really really careless.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:Seniority in management or age? by Anonymous Coward · 2014-01-09 12:02 · Score: 0
  
  Get off my lawn!
2. Re:Seniority in management or age? by RyoShin · 2014-01-16 14:55 · Score: 1
  
  While I agree that much of this may be about older CxOs not having experience with equipment, this is not a problem that will die with them.
  Just like "Kids these days have no respect or aptitude" has been a thing since the days of Socrates (or, rather, Aristophanes?), so to is "Old people just can't understand" (or, "You can't teach an old dog new tricks".) For the past two decades it's been the internet. Before that it was computers in general. In two decades people 30 years our junior will have hushed conversations about how we're having trouble targeting our Brainmemos to certain employees instead of broadcasting to the entire company, wondering why we find it so hard to figure it out.
  Those assistants and entitlements will stick around, too, but they'll adjust to different things just as the thing that we can't adjust to will also change.
^^^ This guy is a Senior Manager by logicassasin · 2014-01-09 10:35 · Score: 1

I've heard some of that near verbatim from senior management whenever a new security measure is introduced.

--
Fifty watts per channel, baby cakes.
1. Re:^^^ This guy is a Senior Manager by Anonymous Coward · 2014-01-09 12:39 · Score: 0
  
  I've heard some of that near verbatim from senior management whenever a new security measure is introduced.
  And you would have heard it from all the other workers as well, but since you're above them you can't be bothered to listen. Just like the CEO can't be bothered to listen to you.
Quod licet Iovi, non licet bovi by eladts · 2014-01-09 10:54 · Score: 1

How is that news? This is known for thousands of years.
How will it be by phorm · 2014-01-09 11:14 · Score: 1

Do many senior managers read slashdot or net-security? Unless it's in Times/Forbes/etc they not likely to read about it.
Doctors... by phorm · 2014-01-09 11:19 · Score: 3, Insightful

I see your doctors and raise you... teachers (especially older teachers). Basically the attitude is "we're here to teach, not to learn" (or pay attention to some young whipper-snapper telling them how to use *their* equipment).
1. Re:Doctors... by Anonymous Coward · 2014-01-09 15:24 · Score: 1
  
  The worst security I ever saw was when I was at a large lawfirm. The problem at a large lawfirm is that there can be hundreds of lawyers who are considered partners. Each of them is an owner of a piece of the firm. So you have hundreds of people who are effectively senior management. To make matters worse, they're all lawyers.
Re:do yo u really think senior mgmt will read a bo by rtb61 · 2014-01-09 14:49 · Score: 3, Insightful

Ego and arrogance got them their position at the top (all that corporate back stabbing, taking credit for other people's work and of course blaming anyone and everyone for executives own mistakes), so it is hardly surprising that the same attitude arising in the security decision making. Security if for the little people the nobodies, I pay you to make me secure, it's your fault, your fired, is senior managements normal attitude to security.

--
Chaos - everything, everywhere, everywhen
Re:do yo u really think senior mgmt will read a bo by dbIII · 2014-01-09 15:51 · Score: 1

Yes but people not in IT often can't imagine the possible consequences so this is news to them.

It's creeping into popular culture though - a major plot point of one of the "Torchwood" mini series was a manager ignoring security and letting a temp use their login and password. Others in that office treated it as a normal situation.

Reality is just like that in far too many places.
That's a 1980s argument by dbIII · 2014-01-09 17:00 · Score: 1

I can introduce you to some 70+ year olds that are likely to understand computers far better than most of the readers here, but they were involved with electronics. With the general population most people in their 60s will have had a least a couple of decades of hands on exposure with computers.

It's not about experience, it's about not caring.
Re:do yo u really think senior mgmt will read a bo by hairyfish · 2014-01-10 10:58 · Score: 1

Have you ever stopped and wondered why? Maybe, just maybe it's you? I mean I've worked in IT a long time, I know the drill, but it's only recently I learnt how to run a business, and how to deal with company politics. In general IT people are shit at making a business case, therefore they get ignored. And this is how it should be. In short, if you can't sell an idea then don't blame the idea or the buyer.
Re:do yo u really think senior mgmt will read a bo by hairyfish · 2014-01-10 11:05 · Score: 1

He pays you to make him secure, yet your lack of social skills at selling the security business case caused an incident. I'd fire you too. IT people need to understand that business is more that just good ideas. Selling those ideas (whether it be the product, the HR policy, or the IT security requirements) are all skills everyone senior employee should have. If your IT manager failed to sell it then someone else deserves a chance at his job.