Slashdot Mirror

← Back to Stories (view on slashdot.org)

IT Decisions Makers and Executives Don't Agree On Cyber Security Responsibility (betanews.com)

Posted by msmash on from the how-they-think dept.

Sead Fadilpasic, writing for BetaNews: There's a severe disconnect between IT decision makers and C-suite executives when it comes to handling cyber attacks. Namely, both believe the other one is responsible for keeping a company safe. This is according to a new and extensive research by BAE Systems. A total of 221 C-suite executives and 984 IT decision-makers were polled or the report. According to the research, a third (35 percent) of C-suite executives believe IT teams are responsible for data breaches. On the other hand, 50 percent of IT decision makers would place that responsibility in the hands of their senior management. Cost estimates of a successful breach also differ. IT decision makers think it would set them back $19.2 million, while C-suite thinks of a lesser figure, $11.6m. C-level thinks a tenth (10 percent) of their company's IT budget is spent on cyber security, while IT decision makers think that's 15 percent. Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.

67 of 119 comments (clear)

  1. They just don't care by Anonymous Coward · · Score: 4, Insightful

    Much like breaking the law and paying a fine has become a cost of doing business, so too has getting hacked and paying a lawsuit settlement become a cost of doing business. No one goes to jail, no one cares. The legal calculus is the same.

    1. Re:They just don't care by TWX · · Score: 1

      Then the lawsuit settlement is too low.

      I expect that insurance companies haven't yet truly figured out how to price the insurance they sell for this, and the long-term costs borne by the compromised companies haven't yet been truly realized yet.

      If these costs shift back to the company that allowed the breach to happen then perhaps they'll start leaning on the vendors that they source their IT from, to get those vendors to start paying attention to security.

      --
      Do not look into laser with remaining eye.
    2. Re:They just don't care by dougdonovan · · Score: 1

      if it weren't for the IT department, executives would not have a job.

    3. Re:They just don't care by Ravaldy · · Score: 1

      Much like breaking the law and paying a fine has become a cost of doing business, so too has getting hacked and paying a lawsuit settlement become a cost of doing business. No one goes to jail, no one cares. The legal calculus is the same.

      Fact is, it's the cost of doing business but at the end of the day shifting that mentality from reactive to pro-active is in the customer's hands. A company will react quickly if customers are known run away from your brand after a security breach.

    4. Re:They just don't care by tommeke100 · · Score: 1

      They actually do care in sectors like healthcare where information is heavily protected by law through HIPAA and it definitely is everyone's concern.
      Fines are high and the damage to the business may be even higher. Stocks go down. Partners don't trust you anymore with their data.
      You bet the C-suite is concerned if a breach means their 50 million $ worth of stock just dropped by 50%.

  2. Toys, toys, toys... by chill · · Score: 5, Insightful

    If the C-Suite wants to give the responsibility to IT for security decisions, they can start by losing their "I have to have this cool gadget, but there is no business justification" toys.

    They can also stop demanding to be exceptions to any security policy that inconveniences them, like full-disk encryption, local administrative rights, multi-factor authentication and complex passwords.

    --
    Learning HOW to think is more important than learning WHAT to think.
    1. Re:Toys, toys, toys... by Joe_Dragon · · Score: 1

      local administrative rights are needed by some software.

      Well if need to have 2 laptops then I need 2 data cards with world wide data. Or is to ok use an hot spot for both?

    2. Re:Toys, toys, toys... by Ryanrule · · Score: 1

      IT needs board level power over the c suite.

    3. Re:Toys, toys, toys... by Anonymous Coward · · Score: 1

      If the C-Suite wants to give the responsibility to IT for security decisions, they can start by losing their "I have to have this cool gadget, but there is no business justification" toys.

      They can also stop demanding to be exceptions to any security policy that inconveniences them, like full-disk encryption, local administrative rights, multi-factor authentication and complex passwords.

      I left my job as an engineer at a Fortune 10 company, Ford Motor Company, and not having local admin rights on my computer was in my top 3 reasons why. You are conflating having useless "cool gadgets" and having access to local administration on my computer as inconveniences? What you call "inconvenience" is a major road block to getting shit done in a timely and efficient manner. I am not joking when I say this: I will never work at a job where I can't have control of the computer I have to use. I ask about the computing environment now before I accept a job.

    4. Re:Toys, toys, toys... by Anonymous Coward · · Score: 1

      local administrative rights are needed by some software.

      No, they usually aren't. Even antique software that "needs" administrator rights can usually be worked around by giving the local user write permission to that individual program's folder in Program Files. The occasionaly _really_ stupid program that stores its configuration in \Windows\System32, or somewhere equivalently boneheaded can still be worked around by running it as admin once, then giving the end user write permission to the files it creates to store its configuration.

      The only real reason to need administrator rights is to install system wide software, or install/update drivers. These are not something _any_ end user should be doing in a corporate setting.

    5. Re:Toys, toys, toys... by Shoten · · Score: 1

      local administrative rights are needed by some software.

      Well if need to have 2 laptops then I need 2 data cards with world wide data. Or is to ok use an hot spot for both?

      This is less- and less-frequently true these days. More importantly, it's less-frequently true because companies are taking away admin rights, at which point they then notice which software is written this way. And in turn, that software often gets replaced by something that's better-written since it represents a security risk by confounding the business' need to properly control user access rights.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    6. Re:Toys, toys, toys... by SecurityGuy · · Score: 2

      If you have local administration rights then you take responsibility for being the admin, good and bad.

      That simply doesn't work. Do this, and most likely before you've granted admin rights to two users, you'll have one who says "Ok, sure, I'll take responsibility for all that.", and subsequently never, ever acts as if they're responsible.

      Then, when something bad happens because they've done something nutty with admin privs, IT finds out they have absolutely no teeth with which to enforce accountability.

    7. Re:Toys, toys, toys... by dave562 · · Score: 2

      That seems like cutting off your nose to spite your face. I went through the same thing, but I shrugged and moved on. I do not know what your desktop support team was like at Ford, but the guys where I am have everything running very well.

      Windows 10, plus System Center and dare I say it Office 365 (2016) seem to be a good combination. Security updates are pushed out at the end of the Patch Tuesday (RIP) week. They are using PGP FDE and SSO through there works great. It does suck having to wait 4-6 hours to install some new software, but at the end of the day, the company is paying for my time. If the company can afford to eat the loss of productivity, I am not going to have a conniption fit over it. It is kind of nice not having to be responsible for my own desktop. After over a decade of consulting in the small business market, I enjoy letting someone else handle the headaches of desktop support.

    8. Re:Toys, toys, toys... by dave562 · · Score: 1

      This seems pretty disconnected from reality. Any C-suite in a publicly traded corporation with a chief compliance officer is not going to be demanding exceptions from security policies. Those security policies are in place and enforced.

      Let's take them one by one.

      Full Disk Encryption - No way around that one. Every device has it. Period.

      Local Admin Rights - What CEO wants to admin their own device? That is what the help desk / admin assistants are for. Really? C-suite, doing IT grunt work. Hahahahahahaha.

      Complex Passwords - For most organizations, enforced by the Default Domain Policy. No way around it. It applies to the entire organization.

      MFA - A person who earns six, seven or eight figures a year can handle transcribing a couple of numbers from their smartphone into their desktop / laptop. In fact most of them feel 'high tech' when they do it. Like they are secret agents, protecting supah sekrit datas.

    9. Re:Toys, toys, toys... by Joe_Dragon · · Score: 1

      And what if an CEO needs both an locked down system and a system for there own stuff?

    10. Re:Toys, toys, toys... by jezwel · · Score: 1

      software often gets replaced by something that's better-written since it represents a security risk by confounding the business' need to properly control user access rights.

      When did you last try and use Adobe Creative Cloud software in an enterprise setting? Yuck.

    11. Re:Toys, toys, toys... by Coren22 · · Score: 1

      Perhaps a CEO makes enough money to afford their own home computer for personal stuff. There is no reason that a CEO even should be using the company computer for personal stuff, they would fire an employee for doing it, why would they be exempt from the policy?

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  3. IT needs to get tough by Anonymous Coward · · Score: 3, Insightful

    Managers don't care about security. They give you no time and resources to properly implement it. Then when the breach happens, they suddenly care A LOT about security, and it's all your fault.

    There needs to be set security standards for the industry, and managers should have to sign off saying they don't care about these standards when they choose not to allocate the proper time and resources for security.

    1. Re:IT needs to get tough by ctilsie242 · · Score: 1

      When the breach happens, they care about one thing: Who "caused" it. They want to shitcan someone, say the problem is solved because the parties responsible are no longer working there, and continue on the same way, fundamentally insecure as before. Bonus points if they decide to bother running as a DA: "dsquery user | dsmod user -mustchpwd yes" so they can tell the press that "security precautions were taken."

      Even repeated breaches won't change this behavior, because it is a cost of doing business.

    2. Re:IT needs to get tough by skids · · Score: 1

      The answer to TFAs dilemna is "neither is responsible." Security is the responsibility of your designated cybersecurity officer. If you don't have one, you are doing it wrong. You need someone who can focus solely on security tech and policies. IT should be security-tech-aware as far as they can without losing focus on actual IT equipment, and C-suite should be security-policy-aware without micromanaging security (and a bit of big picture over both of those sides doesn't hurt.)
      You don't want IT guys spending their time learning to chase geese in the firewall logs when they have other tech topics that need their brainshare, and you don't want PHB spending all his time in meetings about properly running an in-house CA when they should be tending to whatever it is PHBs do these days.

      Heck my IT operation is tiny and the first actual tech we hired when we got the rare opportunity to hire a tech was a security officer.

      --
      Someone had to do it.
    3. Re:IT needs to get tough by TemporalBeing · · Score: 1

      The answer to TFAs dilemna is "neither is responsible."

      Actually, I'd argue both are. C-level Execs are b/c they don't often allocate sufficient fund and downplay the possibilities that things will go wrong. In essence, they are creating some risk they don't have to create simply for funding reasons, and they should own that responsibility. And the presence (or lack thereof) of a Cyber Security Officer is a C-Level Exec decision; most companies don't need one - but then, their IT manager is essentially taking on that role - realize, most companies are barely big enough for an IT department of any kind if they have one at all.

      IT managers do the same thing, namely when they don't think they can get the funds to cover stuff. This goes all the way from development and ensuring developers can have the time to properly secure the systems at a code level, to ops, to security, etc. They also fail to push back on the C-level's enough to make the C-level's take them seriously about needing to fund that stuff.

      On top of it all, IT project failures are common enough that often they just want to get some kind of success, regardless of the risk. But that's what happens when you have an IT industry that focuses more on art and less on engineering - like we do now.

      --
      Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  4. What is a "Decision Maker?" by chispito · · Score: 1

    I know what a C-level exec is. What is an "IT Decision Maker?" The full article is basically the summary plus a bit of fluff with no sources and no additional information.

    Is "Decision Maker" ManagerSpeak for "Security Team?" Otherwise, it sounds like the study may just be contrasting the opinions of middle-upper and senior management, which sounds pointless.

    --
    The Daddy casts sleep on the Baby. The Baby resists!
    1. Re:What is a "Decision Maker?" by __aaclcg7560 · · Score: 1

      What is an "IT Decision Maker?"

      The guy from Geek Squad who got hired to run the entire IT department by himself.

    2. Re:What is a "Decision Maker?" by The-Ixian · · Score: 1

      I would think that an IT decision maker is the one who has control of the IT budget.

      --
      My eyes reflect the stars and a smile lights up my face.
    3. Re:What is a "Decision Maker?" by chispito · · Score: 1

      I would say that a "Decision Maker" is the one capable of making such decisions, regardless of whether they are a CxO or a member of the IT team

      That's what I was trying to get at. If a "Decision Maker" says it is someone else's responsibility, he is not making the decision.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
  5. Disconnect = Lack of effective communication by Stolpskott · · Score: 2

    When you have a situation where each party is blaming the other, the cause is almost always a lack of effective communication by BOTH sides.
    If each thinks that the other is responsible, then neither has successfully articulated their opinions to the other.
    As an IT person, I do not mind being given the responsibility for handling cyber attacks, as long as I am also given the express authority that "handling" will require, and the budget to provision security and prevention measures.
    Of course, I am not going to get the budget that I ask for, no department head ever does. But then my acceptance of that budget comes with the written caveat that a reduced budget directly impacts my ability to "handle" cyber incidents and will increase the risk of successful attacks or sub-optimal mitigation of attacks.

    1. Re:Disconnect = Lack of effective communication by bluefoxlucid · · Score: 2

      Pretty much. People have an over-inflated sense of self-importance (IT says not being able to effectively do their job costs company millions more than C-level executives think it will) and want everything to be someone else's fault. QED.

      I can tell people what risk I can and can't handle given a budget. I'm not in that position; I'm just tech labor. I'm fully-capable of performing proper organizational risk assessment, planning risk controls, and assembling the necessary tools and procedures to control risks. It's not about "sub-optimal mitigation of attacks"; it's about negotiating what you want to bid for and how much you want to pay.

      --
      Support my political activism on Patreon.
    2. Re:Disconnect = Lack of effective communication by dave562 · · Score: 1

      Finally, someone who actually has some experience. You are right on point sir.

      "Here is the risk. Here is the cost to mitigate the risk. Here is the risk of doing nothing. Let me know which way you want me to go. Please respond via email so that when the risk you decided you didn't want to mitigate materializes, you, me and everyone else understands who made the decision to ignore it."

  6. Both by Alain+Williams · · Score: 1

    The IT people are the one who understand the issues and can put things in place.

    The C-suites must give the IT people the budget and the power - including telling C-suites that they cannot run their favourite games on corporate equipment.

    In the event of a problem the C-suites must be the ones who are blamed, even if the IT people screw up (as they should have checked what they were being told by IT). This is the only way that there is a hope in hell that we might get close to getting this nailed.

    This is one thing that Trump appears to be getting right. The latest draft of his Cyber security Executive Order puts the chief exec's butt on the line [ S1 (c) (i) ]. Let us hope that this is what he orders.

  7. Odd by geek · · Score: 1

    Security decisions ultimately come from the board of directors, not the C-Suite or the IT department. The board dictates what direction they way, the C-Suite manages that direction and IT executes the plan.

    C-Suite should never be involved with security decisions beyond doing what they are told by the board. History I believe bares this out.

    1. Re:Odd by freeze128 · · Score: 1

      Not every company has a board of directors. Public companies probably do, but not private or family owned.

  8. Wait, what? by fustakrakich · · Score: 1

    How can the IT department be held responsible if they aren't the ones making the decisions? The 'C-suite execs' have to authorize them first. Amirite?

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:Wait, what? by Falos · · Score: 1

      >but doesn't follow through
      There's a marginal blame for lax follow through on the follow through that rolls uphill (or at least is supposed to) into middle management or higher.

      Mind, this level of blame may be little more than mild reprimand for doing a meh job. Your point stands, IT's at fault if they were ordered to do X and didn't.

    2. Re:Wait, what? by arth1 · · Score: 1

      IT needs to clearly document what the threats are and the resources requested to mitigate the threats.

      I think that's part of the problem. Those who have enough technical insight to see the actual problems aren't the same people who communicate with upper management, or have skills in doing so.

      Of course, there are also unreasonable requirements too, like being able to document how likely each scenario is, or how high the corporate costs of any breech will be, given that IT isn't privy to the economic details of damage done to the rest of the business. So there will be a lot of SWAG, which may well end up as "too expensive" after being filtered through five layers uphill.

      Too many walls; too many layers.

  9. Re:C-Suite Attitudes by __aaclcg7560 · · Score: 2

    *no wrong... unlike we mere mortals who make typos

    Don't worry. Perfect spelling is no longer a requirement at the Department of Education.

    http://wqad.com/2017/02/12/education-department-misspells-tweet-corrects-error-with-another-typo/

  10. 3rd party vendors also have control and can make by Joe_Dragon · · Score: 1

    3rd party vendors also have control and can make it hard to lock stuff down.

  11. down time for reboots for updates needs to be ok by Joe_Dragon · · Score: 1

    down time for reboots for updates needs to be ok.

  12. What about old software stuck on 2003 / xp / etc? by Joe_Dragon · · Score: 1

    What about old software stuck on 2003 / xp / etc? That the suits don't want to shell out the cost to buy new apps that run on 10 / 2012 / 2016?

  13. from the Journal of Predictable Answers by epine · · Score: 1

    Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.

    In related news, 85% of both groups combined think they are good at their jobs.

    Interviewer: You get paid the big bucks. Are you doing it wrong?

    Interviewee #1: Well, gosh, I don't know.

    Interviewee #2: Every damn time, and twice for breakfast.

    Interviewer: Uh, #2, how long have you held your current rank.

    Interviewee #2: The previous numbnut is still fumbling for his keys in the parking lot, with all his executive possessions packed in an open box, tucked under his left arm.

    Interviewer: How about you, #1?

    Interviewee #1: Twenty-two years.

    Interviewer: Really? You've been running the IT department for twenty years?

    Interviewee #1: Actually, no. I'm the janitor. The chief custodian wears a shirt and tie, so I do, too. Always dress like the boss, you know. Good career advice passed down from my grandfather. You can tell a lot from the texture and density of crumpled, yellow Post-It notes at the bottom of an executive can. I'm not sure about our current IT head. There are days where I think he's in the danger zone.

    As this goes, that's probably more useful than the intended interview.

    1. Re:from the Journal of Predictable Answers by __aaclcg7560 · · Score: 1

      I'm the janitor. The chief custodian wears a shirt and tie, so I do, too. Always dress like the boss, you know.

      A recruiter sent me off to a bio tech company to interview for an IT support job. She told me to dress up in a suit and tie. I go into the lobby that doesn't have a receptionist, call the IT manager, and sat down. For 90 minutes people came and went through the lobby. I kept getting phone calls from the recruiter where the hell I was. Finally, a guy in sweat pants and shirt asked me who I was there to see. He was the IT manager. The CEO was dressed worse than him. Everyone, including all the scientists walking by, thought I was a venture capitalist.

    2. Re:from the Journal of Predictable Answers by sconeu · · Score: 1

      I bailed in a similar situation. I went for an interview, told the receptionist I was there for an interview and who my contact was.

      45 minutes later, I called my recruiter and told him I was bailing out.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    3. Re:from the Journal of Predictable Answers by MrLogic17 · · Score: 1

      90 minutes? That's about an hour longer than I'd have been there.

      Remember that job interviews are a 2-way street - you're interviewing the company to see if you even want to work there.
      That lack of respect for time, lack of awareness of everyone who walked by you, and the lack of self respect in attire says you made the right call.

    4. Re:from the Journal of Predictable Answers by __aaclcg7560 · · Score: 1

      I bailed in a similar situation.

      At that time I was out of work for two years and getting ready to file Chapter Seven bankruptcy. Bailing out wasn't an option. Not long after that interview, I started working multiple jobs for seven days a week for the next two years to recover from the Great Recession.

    5. Re:from the Journal of Predictable Answers by __aaclcg7560 · · Score: 1

      That lack of respect for time, lack of awareness of everyone who walked by you, and the lack of self respect in attire says you made the right call.

      The IT manager was looking for a drinking buddy than a tech. Those guys and everyone around them who don't keep a professional distance tend to get fired by management.

    6. Re:from the Journal of Predictable Answers by sconeu · · Score: 1

      Sympathies. Dude. Glad you made it through.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  14. Scapegoats and finger pointing. by geekmux · · Score: 1

    I'd say the only thing one can accurately get out of TFS is the fact that no one involved wants to be the scapegoat when the shit hits the fan.

    Gotta love it when fucking finger pointing is the true cause of a vulnerable environment.

  15. Re:C-Suite Attitudes by chill · · Score: 3, Insightful

    Dude, please! Grammar!

    Twitter is a proper noun, so capitalize it. And there should be a comma between "Twitter" and "right". There should also be a comma between "petty" and "little", as they both are adjectives describing "bitch". And finally, some punctuation after the second sentence. From your tone I'd suggest an exclamation point, but a period could also be acceptable if you want to imply exasperation instead of passion.

    --
    Learning HOW to think is more important than learning WHAT to think.
  16. Re:C-Suite Attitudes by __aaclcg7560 · · Score: 2

    God forbid anyone make a fucking typo on twitter right?

    Spellcheckers exist for a reason. If you're releasing information to the public, it should be error free.

    Fuck off you petty little bitch

    Ignorance is not a virtue.

  17. They are asking the wrong question. by Anonymous Coward · · Score: 1

    Shouldn't the real question be why to we allow vendors to make and sale products with insecure features, and standards, such as Flash, JAVA, VBS, etc..
    The real problem comes from the standard that allows remote code execution on the user's machine. If you force people to use crappy tools you get crappy systems.

  18. Re:C-Suite Attitudes by __aaclcg7560 · · Score: 1

    Crimer is the ahole who would give you heck for mistping a word if you are on the other side of the aisle from him, but if your own team can't find light switches, doesn't read executve orders before they sign them, and makes up msasacres then it was a simple mistake. amiright cremier?

    This sentence is almost as annoying as an email from a receptionist who had a plugin for the Eudora email client that displayed each letter in a different color. People who downloaded email in plain text never saw the problem. The rest of us who downloaded in HTML saw the email in its full rainbow glory.

  19. Let's reframe the issue by taustin · · Score: 1

    The issue isn't that each thinks the other is responsible, it's that each thinks they, themselves, are not.

    IT people have to be the ones to implement. Executives have to pay for it. Proper security cannot be done without both buying in fully.

    To frame the issue any other way is to fail.

  20. Simple Answer by Murdoch5 · · Score: 1

    Well IT is responsible for all the network equipment and infrastructure so if the data breach occurred because something was incorrectly configured then IT is 100% responsible. If the breach occurred on stationary work computers, that were NOT BYOC, IT is responsible. If the data breach occurred because the network was accessed and that access was not correctly configured, IT is responsible. If a computer enters the network that is not pre-authorized and already vetted, and gains unauthorized access IT is responsible. Basically if a computer is at fault, IT is responsible.

    1. Re:Simple Answer by __aaclcg7560 · · Score: 1

      If a computer enters the network that is not pre-authorized and already vetted, and gains unauthorized access IT is responsible.

      I worked on a PC refresh project where the engineers were told that weren't going to keep their old workstation after the data transfer. Next morning they couldn't connect to the network with either the new or old workstations. Took an IT tech a better part of the day to track down a half-dozen rogue routers that were being used as a switches for the new and old workstations. Since the users didn't bother to turn off DHCP server on the routers, all nearby systems had a 192.168.1.x network address that went nowhere. The users got into trouble for attaching unauthorized devices to the corporate network.

    2. Re:Simple Answer by Murdoch5 · · Score: 2

      Each port on the network switch should of been MAC bonded and then if someone connected an unauthorized device, it would of shut down the port and thrown an alarm with the offending MAC address, which can then be traced to the device being plugged in. This is exactly how I handle all the switches in all my networks.

    3. Re: Simple Answer by __aaclcg7560 · · Score: 1

      Sounds like you are incompetent if it takes you a day to recognize and find rogue routers.

      It took the IT tech half a day to find and remove those routers. I was the Dell tech replacing the workstations, so it wasn't my problem that someone else was fouling up the networks.

      Do you even ARP bro?

      Please explain how to use ARP to find routers that are physically hidden behind two large workstations on the floor.

      You are too busy eating 1500 calories a day while somehow weighing 350# and claiming it is from weight lifting.

      That's relevant to this discussion how?

    4. Re:Simple Answer by __aaclcg7560 · · Score: 1

      This is exactly how I handle all the switches in all my networks.

      That wasn't my experience at the Fortune 500 companies I've worked at. When I got into government IT, everything got locked down tight. Put a USB stick into your workstation, security will be at your desk in five minutes to take it away.

    5. Re:Simple Answer by Murdoch5 · · Score: 1

      Most companies don't operate this way, but they should.

    6. Re: Simple Answer by __aaclcg7560 · · Score: 1

      Assuming your switch ports are documented to their connected wallplates, you can find the device by dumping the ARP table in the switch then finding the associated wallplate based on the offending MAC in the table. Impossible if you aren't doing the correct level of documentation, child's play if you are.

      I don't think the network team was involved. Since the problem started the next morning after the new workstations got rolled out the night before, it was viewed as a desktop problem and not a network problem. Once the routers were found, it became a user problem.

  21. It's always the CSO's responsibility by raymorris · · Score: 1

    Security is the responsibility of the CSO.
    Don't have a CSO? Well *there's* your problem. The board and the other Cs should have made sure there was a CSO.

    Obviously, if the board and president blow off the CSO's warnings, override his decisions, and don't provide the needed budget, that's on them. It is the responsibility of thr CSO to document those facts.

    1. Re:It's always the CSO's responsibility by TemporalBeing · · Score: 1

      Security is the responsibility of the CSO. Don't have a CSO? Well *there's* your problem. The board and the other Cs should have made sure there was a CSO.

      Realize, the vast majority of companies have (a) a president/CEO and (b) a CFO and that's their entire C-level exec suite. Moreover, when it comes to small companies, the CFO is often an external accountant and not a real CFO; they're auditing and doing tax work, and providing guidance to someone that has no accounting background on how to do the books.

      --
      Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  22. Better question by kugeln · · Score: 1

    I wonder many C-level executives can name their IT employees past the CIO/CTO or VP...

  23. Re:It's simple really by arth1 · · Score: 1

    They just won't pay someone to develop it right.

    No, I don't think that's the case. Any security you pay for is introduced too late. No exceptions. You can't hire security-minded thinking. You need to get everyone to think of security to start with, instead of trying to hire security, and it won't cost nearly as much.

  24. Experts included by raymorris · · Score: 1

    I've worked at companies with 2,000 employees or less that have someone designated as being in charge of security. Many companies don't, that doesn't mean they can't or shouldn't.

    > the CFO is often an external accountant and not a real CFO; they're auditing and doing tax work, and providing guidance

    A similar model can be used for security. Companies like Alert Logic provide the backing of thousands of security experts in a 24/7 Security Operations Center at a cost starting at dozens of dollars per month. One company (which is a one-person conpany) pays me $100/month, which buys them a couple hours of my time every two or three months when they (he) make changes I should consult on or review. For $100/month he gets a career security professional with 20 years of experience who knows the company's systems inside and out at this point.

    There's no excuse to not have anyone designated as being in charge of security.

    1. Re:Experts included by TemporalBeing · · Score: 1

      I've worked at companies with 2,000 employees or less that have someone designated as being in charge of security. Many companies don't, that doesn't mean they can't or shouldn't.

      Most companies are 100 employees total, even 50 employees. So yeah - they can't. Everyone is carries multiple duties as it is.

      --
      Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  25. What happened? by AHuxley · · Score: 1

    Upper management just knows never to let profit be wasted on yet more hardware and software?
    What about the generation shareholders? Executive bonuses are enjoyed every year. Why is that profit going on security hardware and software?

    Are US legal teams haunted by some open court event in the 1980's or 1990's?
    Logs finally showed an issue, law enforcement got contacted is all the compliance that needs to be public.
    Showing a team understood an issue but could not prevent it or failed to report an issue in time while their security attempted to work the issue?
    Incompetence might be legally better and could be cleaned up with good PR. The ability not to have any extra paper work and really not to know anything could be legally useful later? A politician asking questions could be halted with a comment about working with law enforcement rather than producing vast amounts of internal paperwork to show how company failed.
    Been a brand in open court or before some gov committee reporting on people, crimes, naming other brands staff, products, services, what was done before law enforcement was contacted in great detail might not be very useful marketing.

    --
    Domestic spying is now "Benign Information Gathering"
  26. Yes to Both by sdinfoserv · · Score: 2

    It's the responsibility of IT decision makers to educate executives the value of cyber security security. Proper education is a risk/benefit/cost analysis rather than just fear mongering.
    The goal is to get executive support for both programs and resources (especially $$$) that allow IT decision makers to implement proper security.
    If IT decision makers are unable to influence and persuade, pass the management hat and go back to coding.

  27. This is actually a tricky thing by Xabraxas · · Score: 1

    IT should be responsible if given sufficient resources and latitude to implement security measures. The problem is that that is not always the case. Many times one of those is lacking and that is the responsibility of the executives.

    --
    Time makes more converts than reason