On Cybersecurity, Execs Are Burying Their Heads In the Sand

An anonymous reader writes shares a report on BizJournals: Despite increased spending on cybersecurity, most executives are unprepared, even willfully ignorant, of the threats that could damage their businesses. A survey of 1,530 C-level executives across of range of industries found a widespread feeling that cybersecurity is an "IT problem," even as CEOs personally shoulder the consequences for breaches. "The Target breach was one of the more significant ones: Executives can be held accountable," says David Damato, chief security officer at Tanium. "But there's still that disconnect. Executives still struggle with: 'What should I be looking for?'"

You want the simple answer?

[gcnaddict]

Put the fucking CISO on the executive board.

Re:You want the simple answer?

[Z00L00K]

Wouldn't help until there's a breach of security anyway.

Way too many don't see the need for improvements in security until it's too late.

Re:You want the simple answer?

[Z00L00K]

No, but the other persons on the board will just say STFU, we got this and kick him out.

That's because they don't think that they will suffer the "pants down" situation when the shit hits the fan.

And that's why the IT department is held off from the board of directors, and why IT departments are outsourced.

Re:You want the simple answer?

[Opportunist]

As long as he still doesn't get any power, he's still just the scapegoat. It's like sitting on an ejector seat, and some asshole on another continent you don't even know has the button to shoot you out.

You don't have to put the CISO on the board. He only needs two powers: First, the power to put his foot down and stop a project if it becomes dangerous. And second to fully put the weight of the responsibility onto the shoulders of whoever overrules him.

Cybersecurity IS a C-level problem

[Stolpskott]

Yes, the technical analysis and implementation of security fixes/updates for hardware and software within a company is a set of IT tasks, but the task of budgeting for that is/should be a finance task, with oversight from C-level legal representation.
If the CEO doesn't know how to handle it, that is fine - as long as he/she understands that they are the ones who will ultimately be left holding the can for a data breach, they will have the incentive to get somebody in place who does know how to handle it - the role of the CEO is to be the figurehead and "big picture" source, not subject-matter expert in all areas.
So the CEO needs to think "this is an IT problem, but I will be carrying the can for a problem, so I need to talk to the head of IT and see what they need to help me save my job", and work from there.

The "IT problem"

[nine-times]

The summary says that many view security as an "IT problem", but it probably fits into the category of IT problems where the real problem is the company's management.

As someone who has worked in IT for decades, I don't think that I've ever seen a security initiative where the biggest challenge wasn't persuading management. The first task is persuading management that security is important enough to even consider. The second is persuading them that it's worth spending any amount of money on, rather than asking IT to do what they can without additional resources of any kind. The next challenge is getting management to listen to security experts rather than going off the CEO's half-baked misunderstandings of how security works. The fourth is convincing them to enforce security policies even in cases when the employees don't like them. Finally, you need to get management to follow the security policies themselves, rather than requiring IT to carve massive holes in the security policy for the CEO's convenience.

In my experience, it's pretty rare that IT departments can make it past the second hurdle-- being able to allocate money/resources to security. Even when they do, the security that gets implemented is often porous and full of security theater.

Re:The "IT problem"

[uniquegeek]

I'm always blown away by how much work it is to do this with IT. Do they tell accountants to not use basic accounting principles and resources?

(Well. Maybe sometimes they do.)

Re:The "IT problem"

[uniquegeek]

I agree, but I'd say those are rare. We have so many "Mordac" problems more due to perception and lack of accountability.

At my last job, we didn't have dev servers, never mind someone in security. Several services were lacking in failover because there only was one machine, which would typically be 1-4 years behind in patches and updates. We had 1/3 of the IT staff that other comparable organizations would have. I left last year, and they still haven't replaced me. Most of us on the team were capable of doing a lot better - if only we had had the resources and were allowed to do what we do best.

The IT manager was treated like Mordac of IT services because forcing their computers to have passwords and not being able to install any crapware they felt like was "preventing them from doing their work". The token argument when people weren't getting their way was "But I NEED this". I NEED to install some sketchy tool I found on the internet. I NEED to install this cute bubbly font I found for free on the internet (well the web page said it was free and it didn't cost me anything, so that means it's legit, right?). What do you mean you won't help me with this personal project that has nothing to do with the business? I NEED dropbox because how can I back up my stuff if I don't... no, no, I'm not interested in listening in how stuff is backed up already, I would much prefer to store sensitive data wherever and copy it to my non-password protected malware-infected devices at home. YOU'RE PREVENTING ME FROM DOING MY JOB! WAAAAAAA!

If crying to the other IT members separately doesn't work, then they cry to upper management.

Every IT person who is just trying to do their job is a Mordac to a large group of people. Ignorance or unwillingness to learn the tools of a job is no excuse for sabotaging it or blaming others, and we need to call bullshit on it.

There's been a big focus on security recently that if users are doing the wrong thing, then it's actually the security team's responsibility to make sure that you find a way to make it easy for people to do the right thing. It's a step in the right direction. But there are still some basic standards where we need to say "It's a basic requirement of the job. It's 2016. Get over it, or go a job that's not in an office environment."

Re:The "IT problem"

[__aaclcg7560]

As someone who has worked in IT for decades, I don't think that I've ever seen a security initiative where the biggest challenge wasn't persuading management.

I work for a government IT security initiative hat has national and regional support to get the job done. Local support is almost nonexistent since fixing security issues means a local tech will have to track down a computer, persuade the user to surrender it, and then re-image the system to bring it back into compliance. They don't want to touch a system unless a user reports a problem. Security is proactive and not reactive. Since I'm the regional rep assigned to the facility, the local management wants me to go find and re-image these systems for them. It's not my job. Last I checked there were 300+ systems that needed to re-imaging and the list keeps growing.

Re:The "IT problem"

[nine-times]

The kind that enforces mandatory password changes every 30 business days...

That's the sort of thing I mean by "security theater" actually. Overly strict password policies can actually worsen security. I've seen a company where some management guy insisted that everyone reset their password every 30 days (but it would start warning you 2 weeks early, so it would actually prompt you to reset your password every 16 days or so), then password had to be 14 characters long, can't be any of your last 14 passwords, and needs to have a capital letter, lower-case, number, and symbol. Half the people had a post-it on their monitor with their password. The other half used passwords like "P@ssw0rd9!!!!!"

Or to give another example that I've described here on Slashdot before: I once worked at a company where one of the doors needed a 4-digit key code to enter. In order to make it more secure, they started resetting the code every few months. It was a pretty high-traffic door, though, and people kept forgetting the code. First, someone had the bright idea to put up a sign telling people what the code was, right next to the door. When management said they couldn't do that, people started propping the door open with a door-stop. Eventually they realized that rotating the code wasn't actually improving security, so they stopped.

Endless audits, very little actual work.

[clintp]

Once the executive team figures out that IT security is really important they tend to fuck it all up with an endless parade of audits and consultants

Like any parade, it's all for show. These people swoop in, make IT teams fill out questionnaires, conduct interviews, write reports, make recommendations, but nothing real actually gets done. What IT needs are people willing to get their hands dirty and actually help out with these projects. IT winds up having more thrown on their plate without increases in staffing or budget.

Ditch your PricewaterhouseCoopers schmuks and hire someone to actually do the work.

It IS an IT problem

[DogDude]

Of course it's an IT problem. IT people always seem to think that every IT problem is a #1 priority issue in every organization. The thing is, IT isn't #1 unless it's an IT company. IT keeping things secure is just as important as keeping the physical doors locked. It's important, but it's not the CEO's job, any more than it's the CEO's job to make sure that the locks are working properly on the company's doors.

IT people need to take their heads OUT of the sand, and realize that what they do, while important, isn't any more important than any other pieces of large organizations.

Easy

[Ryanrule]

Make them fully and personably liable. 20 million customer records lost? At lets say 1 million per person? Drain the execs bank accounts, liquidate their assets, seize their trust funds, put their children on the street. Problem FUCKING solved.