Slashdot Mirror
IT Decisions Makers and Executives Don't Agree On Cyber Security Responsibility (betanews.com)
Sead Fadilpasic, writing for BetaNews: There's a severe disconnect between IT decision makers and C-suite executives when it comes to handling cyber attacks. Namely, both believe the other one is responsible for keeping a company safe. This is according to a new and extensive research by BAE Systems. A total of 221 C-suite executives and 984 IT decision-makers were polled or the report. According to the research, a third (35 percent) of C-suite executives believe IT teams are responsible for data breaches. On the other hand, 50 percent of IT decision makers would place that responsibility in the hands of their senior management. Cost estimates of a successful breach also differ. IT decision makers think it would set them back $19.2 million, while C-suite thinks of a lesser figure, $11.6m. C-level thinks a tenth (10 percent) of their company's IT budget is spent on cyber security, while IT decision makers think that's 15 percent. Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.
Much like breaking the law and paying a fine has become a cost of doing business, so too has getting hacked and paying a lawsuit settlement become a cost of doing business. No one goes to jail, no one cares. The legal calculus is the same.
Do nothing. Most will be fine. Otherwise, well, then worry about it.
If the C-Suite wants to give the responsibility to IT for security decisions, they can start by losing their "I have to have this cool gadget, but there is no business justification" toys.
They can also stop demanding to be exceptions to any security policy that inconveniences them, like full-disk encryption, local administrative rights, multi-factor authentication and complex passwords.
Learning HOW to think is more important than learning WHAT to think.
Managers don't care about security. They give you no time and resources to properly implement it. Then when the breach happens, they suddenly care A LOT about security, and it's all your fault.
There needs to be set security standards for the industry, and managers should have to sign off saying they don't care about these standards when they choose not to allocate the proper time and resources for security.
I know what a C-level exec is. What is an "IT Decision Maker?" The full article is basically the summary plus a bit of fluff with no sources and no additional information.
Is "Decision Maker" ManagerSpeak for "Security Team?" Otherwise, it sounds like the study may just be contrasting the opinions of middle-upper and senior management, which sounds pointless.
The Daddy casts sleep on the Baby. The Baby resists!
It doesn't help that the current C-Suite attitude in the US is "Those with MBA's can do not wrong"...
They absolutely agree: "Not us!"...
When you have a situation where each party is blaming the other, the cause is almost always a lack of effective communication by BOTH sides.
If each thinks that the other is responsible, then neither has successfully articulated their opinions to the other.
As an IT person, I do not mind being given the responsibility for handling cyber attacks, as long as I am also given the express authority that "handling" will require, and the budget to provision security and prevention measures.
Of course, I am not going to get the budget that I ask for, no department head ever does. But then my acceptance of that budget comes with the written caveat that a reduced budget directly impacts my ability to "handle" cyber incidents and will increase the risk of successful attacks or sub-optimal mitigation of attacks.
The IT people are the one who understand the issues and can put things in place.
The C-suites must give the IT people the budget and the power - including telling C-suites that they cannot run their favourite games on corporate equipment.
In the event of a problem the C-suites must be the ones who are blamed, even if the IT people screw up (as they should have checked what they were being told by IT). This is the only way that there is a hope in hell that we might get close to getting this nailed.
This is one thing that Trump appears to be getting right. The latest draft of his Cyber security Executive Order puts the chief exec's butt on the line [ S1 (c) (i) ]. Let us hope that this is what he orders.
Security decisions ultimately come from the board of directors, not the C-Suite or the IT department. The board dictates what direction they way, the C-Suite manages that direction and IT executes the plan.
C-Suite should never be involved with security decisions beyond doing what they are told by the board. History I believe bares this out.
They just won't pay someone to develop it right.
You make the end devices have full disk encryption and work at an l2+ protocol level on the network.
Then you just have the field people swap them out and the developers maintain the system. The trouble is the developers today aren't being paid to make an actual working system they are being paid to redirect pussy based on what people read and see online.
That shit shouldn't be happening at a networking level, put it in an app or something because this is absurd.
How can the IT department be held responsible if they aren't the ones making the decisions? The 'C-suite execs' have to authorize them first. Amirite?
“He’s not deformed, he’s just drunk!”
3rd party vendors also have control and can make it hard to lock stuff down.
down time for reboots for updates needs to be ok.
What about old software stuck on 2003 / xp / etc? That the suits don't want to shell out the cost to buy new apps that run on 10 / 2012 / 2016?
In related news, 85% of both groups combined think they are good at their jobs.
Interviewer: You get paid the big bucks. Are you doing it wrong?
Interviewee #1: Well, gosh, I don't know.
Interviewee #2: Every damn time, and twice for breakfast.
Interviewer: Uh, #2, how long have you held your current rank.
Interviewee #2: The previous numbnut is still fumbling for his keys in the parking lot, with all his executive possessions packed in an open box, tucked under his left arm.
Interviewer: How about you, #1?
Interviewee #1: Twenty-two years.
Interviewer: Really? You've been running the IT department for twenty years?
Interviewee #1: Actually, no. I'm the janitor. The chief custodian wears a shirt and tie, so I do, too. Always dress like the boss, you know. Good career advice passed down from my grandfather. You can tell a lot from the texture and density of crumpled, yellow Post-It notes at the bottom of an executive can. I'm not sure about our current IT head. There are days where I think he's in the danger zone.
As this goes, that's probably more useful than the intended interview.
Let me see if I can translate this, IT wants more money, C-suite doesn't think it's needed so they don't approve it. As a result, IT doesn't implement entirely what's needed, C-suite thinks it got done anyway. Therefore when something goes down, C-suite blames IT for not implementing solution, and IT blames C-suite for not providing the money needed to implement solution.
Seems about right.
I'd say the only thing one can accurately get out of TFS is the fact that no one involved wants to be the scapegoat when the shit hits the fan.
Gotta love it when fucking finger pointing is the true cause of a vulnerable environment.
Virtualize and isolate. Provide a VDI solution to run those apps, and restrict all network access to/from that VDI environment. This doesn't eliminate the risk, but it does mitigate it to a minimal level.
According to the summary, 65% of C-level execs DON'T blame IT workers... and 50% of "IT decision makers" don't either. Sounds like they're reasonably close.
Shouldn't the real question be why to we allow vendors to make and sale products with insecure features, and standards, such as Flash, JAVA, VBS, etc..
The real problem comes from the standard that allows remote code execution on the user's machine. If you force people to use crappy tools you get crappy systems.
How about build systems that don't need reboots to be updated? Customer service needs to be a consideration when we design systems, and IT people should have to sit with customer service when they take calls from customers when their systems are brought down for maintenance. People want 24/7 services; if we intend to supply those services we should do so in a manner that is manageable.
The issue isn't that each thinks the other is responsible, it's that each thinks they, themselves, are not.
IT people have to be the ones to implement. Executives have to pay for it. Proper security cannot be done without both buying in fully.
To frame the issue any other way is to fail.
the article mentions, that both sides believe there is a sufficient posture in place for protection..
ok ok lets do this,, hire a consultant team to to pen testing against your "posture" when the report comes out.. have the team price out remediation as a 3rd party inspection and have the c-level guys pony up for the fix'es.
Go ballistic on it, hire multiple pen testing firms, sum up their assessments and then after the c-level guys are done "sh1tt1ng" their pants, have them pony up for the remediation...
Get the board involved to ensure a healthy flow of $ for the various projects.. But when making your presentation, use empirical information from krebsonsecurity.com, use pictures, show the Loss of $, show the return ROI on the investment and how it relates to the value of what is being protected..
As soon as you realize that the CIO is part of the C-suite you should realize that the C-suite is the only place where the responsibility belongs.
The comparison between "IT Decisions Makers" and the C-suite is simply nonsensical, they are not at the same level.
Well IT is responsible for all the network equipment and infrastructure so if the data breach occurred because something was incorrectly configured then IT is 100% responsible. If the breach occurred on stationary work computers, that were NOT BYOC, IT is responsible. If the data breach occurred because the network was accessed and that access was not correctly configured, IT is responsible. If a computer enters the network that is not pre-authorized and already vetted, and gains unauthorized access IT is responsible. Basically if a computer is at fault, IT is responsible.
Security is the responsibility of the CSO.
Don't have a CSO? Well *there's* your problem. The board and the other Cs should have made sure there was a CSO.
Obviously, if the board and president blow off the CSO's warnings, override his decisions, and don't provide the needed budget, that's on them. It is the responsibility of thr CSO to document those facts.
Manageable is usually not that hard. The problem is they never want to pay for what it takes to keep a system up 24/7.
This does not show a disconnect. It is not stated whether any of the 35% of C-suites or the 50% of ITs were at the same company. It is possible that 35% of companies put security in the hands of one, 50% allot that responsibility to the other, and 15% do something else.
Too bad so SAD! /pun intended.
They've had years to find the funds to upgrade. They've had years of prior warning that those OSes were going out of support. If you take YEARS to move on a security issue that's a constant threat, (much less cyber-security which is always changing), you need to question why it's taking so long. That or get Redmond and Cupertino to slow down the release cycle. (Really for corporate systems, they need an OS that's going to be supported long term, *DECADES*, and not forced to upgrade just for support, because Redmond and Cupertino want to push a new feature.)
I wonder many C-level executives can name their IT employees past the CIO/CTO or VP...
Then why are IT departments getting owned by cyber-crackers (not using the equally loaded and ambiguous word, 'hackers') so hard? It seems nobody knows what is happening and nobody is responsible. This is why IT departments need to measure their work in terms of opportunity cost, particularly to security measures. Security, like so many human behaviours is a moving target and no IT department will have perfect security. But the departments need to audit and update their security measures in a way that minimizes the cost of implementing security and the cost of its failure.
I've worked at companies with 2,000 employees or less that have someone designated as being in charge of security. Many companies don't, that doesn't mean they can't or shouldn't.
> the CFO is often an external accountant and not a real CFO; they're auditing and doing tax work, and providing guidance
A similar model can be used for security. Companies like Alert Logic provide the backing of thousands of security experts in a 24/7 Security Operations Center at a cost starting at dozens of dollars per month. One company (which is a one-person conpany) pays me $100/month, which buys them a couple hours of my time every two or three months when they (he) make changes I should consult on or review. For $100/month he gets a career security professional with 20 years of experience who knows the company's systems inside and out at this point.
There's no excuse to not have anyone designated as being in charge of security.
Upper management just knows never to let profit be wasted on yet more hardware and software?
What about the generation shareholders? Executive bonuses are enjoyed every year. Why is that profit going on security hardware and software?
Are US legal teams haunted by some open court event in the 1980's or 1990's?
Logs finally showed an issue, law enforcement got contacted is all the compliance that needs to be public.
Showing a team understood an issue but could not prevent it or failed to report an issue in time while their security attempted to work the issue?
Incompetence might be legally better and could be cleaned up with good PR. The ability not to have any extra paper work and really not to know anything could be legally useful later? A politician asking questions could be halted with a comment about working with law enforcement rather than producing vast amounts of internal paperwork to show how company failed.
Been a brand in open court or before some gov committee reporting on people, crimes, naming other brands staff, products, services, what was done before law enforcement was contacted in great detail might not be very useful marketing.
Domestic spying is now "Benign Information Gathering"
It's the responsibility of IT decision makers to educate executives the value of cyber security security. Proper education is a risk/benefit/cost analysis rather than just fear mongering.
The goal is to get executive support for both programs and resources (especially $$$) that allow IT decision makers to implement proper security.
If IT decision makers are unable to influence and persuade, pass the management hat and go back to coding.
1: Do a Disaster Recovery business impact analysis yearly. This means you do a spreadsheet; one axis is departments, another axis is systems, and you color code the intersecting block. Green for unaffected, yellow is impaired operation, Red is unable to operate. Turns out where I work, at a manufacturer, if so much as a mouse farts, shipments stop. We also discovered 3 days of downtime means manufacturing stops. Good items to know. You then assign the number of 9's required for each system and determine the accrued downtime over 5 years. Then you determine the number of 9's needed to mitigate the problem, and the cost of the department being down for days (each day, the cost goes up).
90% uptime: It's running, no backups. Allowed 6 months of accrued downtime in 5 years.
99% uptime: It's running, backups, is on a battery backup, N+1 Redundancy for disk drives. Allowed 1 Month of downtime in 5 years.
99.9% uptime: Redundant cooling, redundant power back to the power main, backups and a recovery strategy, 2 enterprise grade server and backup enterprise grade server with auto-failover and onsite warranty, server room is locked, rack cage is locked, RAID arrays have N+1 Redundancy, monitoring and alerting needs to be done, ticketing needs done and some basic ITIL items implemented, plus auditing, 3 days in 5 years.
99.99% uptime: 99.9% uptime plus two redundant data centers, which usually means a multi-site SAN. Onsite backup of data at corporate. 3 hours of downtime in 5 years, ITIL operations and a NOC are a requirement.
99.999% uptime: 99.99% uptime plus nazi-level operations, redundant NOC, audits, fail-over testing, and so forth.
2: You do a Security Breech Business Impact Analysis yearly. One axis is types of breeches (social engineering - financial Target. Social engineering - steal data target. Cryptolocker attack - Ransom. Cryptolocker attack - Maximum Damage), the other axis is again, departments. What you do is ask "If the entire engineering department got hit by a virus that was designed to destroy all their data, what is the cost?". One form is for the cost; Green is no capital impact to the enterprise given adequate disaster recovery is in place, yellow is a 4-5 figure loss, red is 6-7 figure losses, and Black is "Total Business Loss". You then fill in each square with the number of 9's of security required to secure the system. Yellow squares can be covered by insurance, red and black, those are issues.
90% secure: Rudimentary AAA, not much else.
99% secure: Logins, antivirus, behind corporate firewall, employee policies in place, system patched regularily, system under lock and key, and so forth.
99.9% secure: 99% secure items, plus active security monitoring software and regular audits by someone.
99.99% secure: Security NOC with 24\7 monitoring.
99.999% secure: good luck.
From these two items you draw a series of initiatives and projects requires to mitigate the risks and you get smart about it. It takes time to really look at data-center vs local hosting, cost of staff for a NOC, and so forth.
Now if you hand that stack of paperwork to management, and they ignore it, year after year, and they fire you, now it's a wrongful termination lawsuit ; - ).
Don't be a tool or a victim of bad managers looking to screw people.
IT should be responsible if given sufficient resources and latitude to implement security measures. The problem is that that is not always the case. Many times one of those is lacking and that is the responsibility of the executives.
Time makes more converts than reason