Slashdot Mirror

← Back to Stories (view on slashdot.org)

IT Decisions Makers and Executives Don't Agree On Cyber Security Responsibility (betanews.com)

Posted by msmash on from the how-they-think dept.

Sead Fadilpasic, writing for BetaNews: There's a severe disconnect between IT decision makers and C-suite executives when it comes to handling cyber attacks. Namely, both believe the other one is responsible for keeping a company safe. This is according to a new and extensive research by BAE Systems. A total of 221 C-suite executives and 984 IT decision-makers were polled or the report. According to the research, a third (35 percent) of C-suite executives believe IT teams are responsible for data breaches. On the other hand, 50 percent of IT decision makers would place that responsibility in the hands of their senior management. Cost estimates of a successful breach also differ. IT decision makers think it would set them back $19.2 million, while C-suite thinks of a lesser figure, $11.6m. C-level thinks a tenth (10 percent) of their company's IT budget is spent on cyber security, while IT decision makers think that's 15 percent. Also, 84 percent of C-suite, and 81 percent of IT teams believe they have the right protection set up.

12 of 119 comments (clear)

  1. They just don't care by Anonymous Coward · · Score: 4, Insightful

    Much like breaking the law and paying a fine has become a cost of doing business, so too has getting hacked and paying a lawsuit settlement become a cost of doing business. No one goes to jail, no one cares. The legal calculus is the same.

  2. Toys, toys, toys... by chill · · Score: 5, Insightful

    If the C-Suite wants to give the responsibility to IT for security decisions, they can start by losing their "I have to have this cool gadget, but there is no business justification" toys.

    They can also stop demanding to be exceptions to any security policy that inconveniences them, like full-disk encryption, local administrative rights, multi-factor authentication and complex passwords.

    --
    Learning HOW to think is more important than learning WHAT to think.
    1. Re:Toys, toys, toys... by SecurityGuy · · Score: 2

      If you have local administration rights then you take responsibility for being the admin, good and bad.

      That simply doesn't work. Do this, and most likely before you've granted admin rights to two users, you'll have one who says "Ok, sure, I'll take responsibility for all that.", and subsequently never, ever acts as if they're responsible.

      Then, when something bad happens because they've done something nutty with admin privs, IT finds out they have absolutely no teeth with which to enforce accountability.

    2. Re:Toys, toys, toys... by dave562 · · Score: 2

      That seems like cutting off your nose to spite your face. I went through the same thing, but I shrugged and moved on. I do not know what your desktop support team was like at Ford, but the guys where I am have everything running very well.

      Windows 10, plus System Center and dare I say it Office 365 (2016) seem to be a good combination. Security updates are pushed out at the end of the Patch Tuesday (RIP) week. They are using PGP FDE and SSO through there works great. It does suck having to wait 4-6 hours to install some new software, but at the end of the day, the company is paying for my time. If the company can afford to eat the loss of productivity, I am not going to have a conniption fit over it. It is kind of nice not having to be responsible for my own desktop. After over a decade of consulting in the small business market, I enjoy letting someone else handle the headaches of desktop support.

  3. IT needs to get tough by Anonymous Coward · · Score: 3, Insightful

    Managers don't care about security. They give you no time and resources to properly implement it. Then when the breach happens, they suddenly care A LOT about security, and it's all your fault.

    There needs to be set security standards for the industry, and managers should have to sign off saying they don't care about these standards when they choose not to allocate the proper time and resources for security.

  4. Disconnect = Lack of effective communication by Stolpskott · · Score: 2

    When you have a situation where each party is blaming the other, the cause is almost always a lack of effective communication by BOTH sides.
    If each thinks that the other is responsible, then neither has successfully articulated their opinions to the other.
    As an IT person, I do not mind being given the responsibility for handling cyber attacks, as long as I am also given the express authority that "handling" will require, and the budget to provision security and prevention measures.
    Of course, I am not going to get the budget that I ask for, no department head ever does. But then my acceptance of that budget comes with the written caveat that a reduced budget directly impacts my ability to "handle" cyber incidents and will increase the risk of successful attacks or sub-optimal mitigation of attacks.

    1. Re:Disconnect = Lack of effective communication by bluefoxlucid · · Score: 2

      Pretty much. People have an over-inflated sense of self-importance (IT says not being able to effectively do their job costs company millions more than C-level executives think it will) and want everything to be someone else's fault. QED.

      I can tell people what risk I can and can't handle given a budget. I'm not in that position; I'm just tech labor. I'm fully-capable of performing proper organizational risk assessment, planning risk controls, and assembling the necessary tools and procedures to control risks. It's not about "sub-optimal mitigation of attacks"; it's about negotiating what you want to bid for and how much you want to pay.

      --
      Support my political activism on Patreon.
  5. Re:C-Suite Attitudes by __aaclcg7560 · · Score: 2

    *no wrong... unlike we mere mortals who make typos

    Don't worry. Perfect spelling is no longer a requirement at the Department of Education.

    http://wqad.com/2017/02/12/education-department-misspells-tweet-corrects-error-with-another-typo/

  6. Re:C-Suite Attitudes by chill · · Score: 3, Insightful

    Dude, please! Grammar!

    Twitter is a proper noun, so capitalize it. And there should be a comma between "Twitter" and "right". There should also be a comma between "petty" and "little", as they both are adjectives describing "bitch". And finally, some punctuation after the second sentence. From your tone I'd suggest an exclamation point, but a period could also be acceptable if you want to imply exasperation instead of passion.

    --
    Learning HOW to think is more important than learning WHAT to think.
  7. Re:C-Suite Attitudes by __aaclcg7560 · · Score: 2

    God forbid anyone make a fucking typo on twitter right?

    Spellcheckers exist for a reason. If you're releasing information to the public, it should be error free.

    Fuck off you petty little bitch

    Ignorance is not a virtue.

  8. Re:Simple Answer by Murdoch5 · · Score: 2

    Each port on the network switch should of been MAC bonded and then if someone connected an unauthorized device, it would of shut down the port and thrown an alarm with the offending MAC address, which can then be traced to the device being plugged in. This is exactly how I handle all the switches in all my networks.

  9. Yes to Both by sdinfoserv · · Score: 2

    It's the responsibility of IT decision makers to educate executives the value of cyber security security. Proper education is a risk/benefit/cost analysis rather than just fear mongering.
    The goal is to get executive support for both programs and resources (especially $$$) that allow IT decision makers to implement proper security.
    If IT decision makers are unable to influence and persuade, pass the management hat and go back to coding.