On Cybersecurity, Execs Are Burying Their Heads In the Sand

An anonymous reader writes shares a report on BizJournals: Despite increased spending on cybersecurity, most executives are unprepared, even willfully ignorant, of the threats that could damage their businesses. A survey of 1,530 C-level executives across of range of industries found a widespread feeling that cybersecurity is an "IT problem," even as CEOs personally shoulder the consequences for breaches. "The Target breach was one of the more significant ones: Executives can be held accountable," says David Damato, chief security officer at Tanium. "But there's still that disconnect. Executives still struggle with: 'What should I be looking for?'"

The "IT problem"

[nine-times]

The summary says that many view security as an "IT problem", but it probably fits into the category of IT problems where the real problem is the company's management.

As someone who has worked in IT for decades, I don't think that I've ever seen a security initiative where the biggest challenge wasn't persuading management. The first task is persuading management that security is important enough to even consider. The second is persuading them that it's worth spending any amount of money on, rather than asking IT to do what they can without additional resources of any kind. The next challenge is getting management to listen to security experts rather than going off the CEO's half-baked misunderstandings of how security works. The fourth is convincing them to enforce security policies even in cases when the employees don't like them. Finally, you need to get management to follow the security policies themselves, rather than requiring IT to carve massive holes in the security policy for the CEO's convenience.

In my experience, it's pretty rare that IT departments can make it past the second hurdle-- being able to allocate money/resources to security. Even when they do, the security that gets implemented is often porous and full of security theater.

Re:The "IT problem"

[uniquegeek]

I agree, but I'd say those are rare. We have so many "Mordac" problems more due to perception and lack of accountability.

At my last job, we didn't have dev servers, never mind someone in security. Several services were lacking in failover because there only was one machine, which would typically be 1-4 years behind in patches and updates. We had 1/3 of the IT staff that other comparable organizations would have. I left last year, and they still haven't replaced me. Most of us on the team were capable of doing a lot better - if only we had had the resources and were allowed to do what we do best.

The IT manager was treated like Mordac of IT services because forcing their computers to have passwords and not being able to install any crapware they felt like was "preventing them from doing their work". The token argument when people weren't getting their way was "But I NEED this". I NEED to install some sketchy tool I found on the internet. I NEED to install this cute bubbly font I found for free on the internet (well the web page said it was free and it didn't cost me anything, so that means it's legit, right?). What do you mean you won't help me with this personal project that has nothing to do with the business? I NEED dropbox because how can I back up my stuff if I don't... no, no, I'm not interested in listening in how stuff is backed up already, I would much prefer to store sensitive data wherever and copy it to my non-password protected malware-infected devices at home. YOU'RE PREVENTING ME FROM DOING MY JOB! WAAAAAAA!

If crying to the other IT members separately doesn't work, then they cry to upper management.

Every IT person who is just trying to do their job is a Mordac to a large group of people. Ignorance or unwillingness to learn the tools of a job is no excuse for sabotaging it or blaming others, and we need to call bullshit on it.

There's been a big focus on security recently that if users are doing the wrong thing, then it's actually the security team's responsibility to make sure that you find a way to make it easy for people to do the right thing. It's a step in the right direction. But there are still some basic standards where we need to say "It's a basic requirement of the job. It's 2016. Get over it, or go a job that's not in an office environment."

Endless audits, very little actual work.

[clintp]

Once the executive team figures out that IT security is really important they tend to fuck it all up with an endless parade of audits and consultants

Like any parade, it's all for show. These people swoop in, make IT teams fill out questionnaires, conduct interviews, write reports, make recommendations, but nothing real actually gets done. What IT needs are people willing to get their hands dirty and actually help out with these projects. IT winds up having more thrown on their plate without increases in staffing or budget.

Ditch your PricewaterhouseCoopers schmuks and hire someone to actually do the work.