Slashdot Mirror
83 Percent Of Security Staff Waste Time Fixing Other IT Problems (betanews.com)
An anonymous reader shares a report: A new survey of security professionals reveals that 83 percent say colleagues in other departments turn to them to fix personal computer problems. The study by security management company FireMon shows a further 80 percent say this is taking up more than an hour of their working week, which in a year could equate to more than $88,000. For organizations, eight percent of professionals surveyed helping colleagues out five hours a week or more could be costing over $400,000. Organizations are potentially paying qualified security professionals salaries upwards of $100,000 a year and seeing up to 12.5 percent of that investment being spent on non-security related activities.
Been there, fixed that.
IT wouldn't be a problem if programmers wrote better code that wasn't so vulnerable. Whether it's Windows desktops or Linux servers, there are lots of vulnerabilities because the programmers are quite sloppy and lazy in their coding. It is possible to prove the correctness of programs, and doing so would avoid so many of the vulnerabilities that are exploited. Because this step is skipped, businesses need security staff to compensate for the lousy programmers.
IT security is a huge problem because of the damage caused by data breaches. Because businesses aren't securing data on their own, government regulation is needed. Mandate that security staff are hired and are able to devote their time to IT security. Unfortunately, the Republican leadership opposes even reasonable regulation of businesses like this. Don't expect security to improve as long as Republicans control Congress and Trump is in the White House.
83% of security staff are not full-time "security", but are employed to do a rather more wide-ranging job, because let's face it, for at least 83% of them there's no way "security" alone could fill a full-time job.
Is that so terrible?
"IT personnel are usually the helpful, go-to people for sorting out issues"?
If people are calling system security to help with computer issues that should be handled by the IT help desk then it's probably because:
1. The issues being reported appear to be security problems.
2. The IT helpdesk consists of condescending asshats which most employees avoid at all costs (based on my work experience, I bet this is the big reason).
More seriously, if security staff are only being called in on inappropriate calls that take up less time in a given week than they spend choosing what to put in their coffee; you've got a pretty efficient IT setup with very little to worry about.
Or you haven't gotten a clue as to what's going on and the North Koreans are actually running your business.
Mimetics Inc. Twitter
I'll see myself out.
"Not only are modern IT security professionals faced with a growing complexity and skills gap and keeping up with technology investments and advancements, but they are also expected by colleagues to help them sort out their personal computing woes," says Michael Callahan, CMO of FireMon. "IT personnel are usually the helpful, go-to people for sorting out issues, but it's only when you start to cost it out that you realize how much money it equates to."
Do they mean work colleagues come to them with problems instead of the "normal" IT staff? Or that other, non-security, IT staff are coming to them with problem they can't figure out on their own?
In the first case why don't the security people direct the questions to the correct staff members? In the second case, either the company isn't spending enough on hiring and training and the "savings" there is coming back to bite them in the ass, or this is perfectly normal collaboration between colleagues. If ((normal IT salary + security IT salary) * consulting time) is less than (normal IT salary * figuring it out on their own time) it's not really a loss for the company.
This Space Intentionally Left Blank
And 90% spend 20 minutes a day getting coffee which requires an additional 20 minutes a day going to the bathroom. People spend time at work doing things other than what they are paid for, it's the nature of most jobs. Most companies accept this.
Do you mean guys with guns on their hips? Or at least ones who place their hand thusly, giving the appearance they are armed?
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
IT staff waste time browsing Slashdot
How much extra time would a less qualified (lower paid) person be taking to do the same work?
If they get paid 20% less but take twice as long, there is savings, not waste.
83% of IT professionals also waste time fixing security problems because management is cheap.
It serves to establish and maintain closer relationships between users and IT security people, so that, you know, if a user has a suspicion of a security problem, they feel more confident and approach IT security staff earlier. But that idea flays wayyyyy above the heads of MBA morons.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I wouldn't mind earning $88K for working one hour a week.
Sheesh, evil *and* a jerk. -- Jade
Where can I get me some of this $1,700/hr IT work?
The article makes no mention of how they come up with the $88,000 figure. One person's pay for one hour per week for a year, if they work 40 hours/week and get a salary of $100,000 is only $2500. The only way they could claim a waste of $88,000 / year for that would be if that number represented 35.2 people.
. . . the loose nut behind the keyboard.
"I didn't change anything on my configuration, but my computer is not working any more, so it must be some automatic security restriction that happened automatically . . . "
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
1) The help desk won't tell the user they don't know how to do their job (and usually the user is so bad at describing the issue they probably haven't had a chance to figure out it's a PEBKAC issue) so they dispatch desktop support.
2) Desktop support doesn't understand what's happening and doesn't communicate well with the user to get the details required to figure it out, so they blame network (security/policy/site connectivity/whatever).
3) The network tech stops what they're doing to prove it's a desktop issue so they can push the job back down the chain.
4) The desktop guys figure out the user is improperly trained - sometimes they're just clueless, sometimes there's a change and their department didn't do the training... or even a simple notification.
That describes 80% of the tickets I am aware of in our organization. Sometimes it bounces back and forth between steps 2 and 3 a couple of times, to the user's frustration and the discredit of the IT department. The important thing is that I am neither tier 1 support nor a network guy, so I can mostly sit to the side and look down disdainfully at the whole farce without actually having to do something about it.
A few years of answering inane questions over and over and they won't be so helpful.
I tell people to call the help desk phone line so I can spend more time commenting on Slashdot while waiting for the real security work to roll downhill.
I don’t understand the math, here. The sourced “article” (it’s more of an advertorial, really) affirms:
- salaries upwards of $100,000 a year
- 80% say more than 1 hour per week, which could equate $88,000 per year.
- 8% say more than 5 hours per week, which could equate $400,000 per year.
- up to to 12.5% of investment squandered.
At the risk of making a fool out of myself:
- $100,000 per year is about $50 per hour, isn’t it?
- 80% staff spending 1 hour per week (50 hours per year) would then cost an average of $2000 per employee per year, not $88,000.
- 8% staff spending 5 hours per week (250 hours per year) would then cost an average of $1000 per employee per year, not $400,000.
- 8% staff spending 5 hours per week (12.5% of the work week) and the remaining 72% spending 1 hour per week (2.5% of the work week) would represent an average of 2.8% of investment squandered, not 12.5%.
Naturally, to measure the true loss, you’d also have to deduct the costs saved from not asking the regular IT staff to do the job, and also the gains obtained from the immediate increase in productivity resulting from the security staff’s intervention.
Of course, the article is thinly disguised advertisement for some “automation solutions available that help them keep their day-to-day work”, so accuracy may not be paramount, compared to shock value
It's from beetrootnews. By vegetables, for vegetables, about vegetables.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I have more time than this wasted in meetings . Currently it's a BA with a bee in their bonnet about edge case scenarios who wants endless meetings to discuss them...
Too often the people that fix things open up security holes. Most of the time IT departments 'training' consists of "This is how you google the solution to your problem." and "Call this Vendor for this problem."
For anything more than that, the help desk is useless but the Security department knows how to fix the issue.
excitingthingstodo.blogspot.com
Isn't it "1% of IT staff fixes 83% of problems"
The math in the summary makes no sense. An hour a week on an annual salary of 100,000 is no where near 88,000. Tell me where there is a job that pays 68,000 a week for security work and I'll gladly help my colleagues out with whatever else they like for 1 hour, or 5 hours, a week...
Security people need to be on top of multiple fields. You can't be in IT security without knowing a lot about all the layers in system.
Specialist network techs look at a problem and push it to specialist server/desktop techs if it doesn't fit their view of a "network issue". The user gets bounced back and forth till they give up or figure it out themselves.
Take the problem direct to a security specialist and 9 times out of 10, they will be able to point directly to the root of the problem because they don't have tunnel vision. Word of mouth spreads the idea that "Fred in security will know how to fix that", rinse and repeat and you spend half your day on support issues.
It's human nature. And not necessarily a bad thing as as single call for help can lead to nipping a security issue in the bud..
More general training (and higher pay!) for help desk staff is the only real answer but people are locked into the idea that help desk are "ticket generators" rather than troubleshooters.
No ticket, no talky.
If the ticket is assigned to Security, fine. We get credit for the fix. My security team is more knowledgeable than 90% of the IT staff anyway. My staff has a strong desire for knowledge, not just showing up and getting a paycheck like many helpdesk folks. Some took a class, passed a test and got hired. That was the last real effort I've seen.
Of course, there are some fantastic helpdesk people with a real gift in helping users of all skill levels. I've been helped by them many times and appreciate it. Lots and lots of experience AND patience is a huge asset.
Availability is availability and availability is critical. If "fixing other IT problems" results in increased availability, (even for a single user), you've helped provide value to the business. If you think that because you are "Security Staff" there are incidents/problems that are beneath you, your "10,000 foot view" will miss individual trees for the forest and will get burned on your next audit.
Just help out.
Since "security" has been en vogue for the past several years, certificate programs have popped up and other opportunists have put "security" on their resume since it has been a job in demand. Having worked at a few Fortune 100s, the disparity between the few guys who really know their shit and the guys who got there and do god knows what are vast.
Where I live that's about what starting engineers get. Security experts should be paid over 2x that. No wonder security is shit.
That's okay, I spend 40% of my time working around app response and usage problems created by overly-aggressive McAfee settings put there by Security.
Table-ized A.I.
You're basically paying a 'security' professional who is really just an "IT person" in order to make sure you got the 'security' in your company and can check of a box on the PCI/HIPAA/SoX compliance worksheets.
What else is the security guy supposed to do? You can't read/write CVE's all day long, you actually have to do system or network administration at some point.
And what would happen if the guy was only relegated to the core job description? He'd be playing video games all day long anyway.
Custom electronics and digital signage for your business: www.evcircuits.com
"I didn't change anything on my configuration, but my computer is not working any more, so it must be some automatic security restriction that happened automatically . . . "
Obligatory
"National Security is the chief cause of national insecurity." - Celine's First Law
In other news 92% of network staff spent an average of more than 30 hours a week denying there was any functionality issue with their network configuration and implicating the client devices and/or applications.
Then the issues magically resolved themselves when the router was rebooted or the firewall mysteriously started allowing traffic through on previously blocked ports despite no configuration change on the part of the network staff...
five hours a week or more could be costing over $400,000
How much are these people being paid?
Security, by the very definition of the job, deals with stuff that isn't for public consumption. That in turn means that it usually takes a bit of work to get these people cleared to do what they're doing. It actually took nearly 2 months for me to just get all the necessary clearance checks done so I can sit in the office that I sit in now. Without them, no chance to get in there at all.
Yes, that means I have to empty my own waste bin and run the vacuum cleaner myself every time it gets so dirty that even I don't want to walk across the carpet. Is that security related? No. It's janitor work (and trust me, my appreciation for these people went up a LOT since I took that job!). And I have to carry computers around, I have to install my own hardware, I have to run cables, I have to change lightbulbs, you get the idea.
If you say 83% of security staff are "wasting" time on non-security related jobs, I don't question the 83%. I question what the other 17% of security are actually doing.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
My experience doing I.T. for several mid-sized companies over the last 20 years is, none of them had big enough budgets to justify hiring dedicated "security" people. It's simply the best "bang for the buck" to hire a core group of a few I.T. "support people" who take care of servers, trouble tickets from users, and do some of the planning and upgrade projects.
When I've met "InfoSec" guys working for businesses similar to the ones I've worked for (perhaps a bit larger in size with larger budgets)? They typically come off as a bit arrogant. They like to spend a lot of time going around to other people in I.T., giving out their unsolicited advice on how something or other should be done, and do a lot of bending the ear of middle or upper management to get policies and procedures put in place to formalize their ideas.
Are they intelligent people who actually do have a lot of knowledge about securing a network? Yes! But they often fail to really grasp that security is always going to be a trade-off. The more you secure the environment, the less worker-friendly it becomes. The I.T. "generalists" who have been supporting networks, servers, workstations, and all the peripherals and software swirling around them often have an awareness that many of these recommendations for "better security" aren't being implemented. The InfoSec types become a bit like annoying flies or gnats that keep buzzing around your head while you're trying to work. They work against your own goal of improving efficiency and worker productivity with their demands that "everyone change their passwords every 14 days, using no less than X number of characters with upper and lowercase, plus at least 1 special symbol", or that all the USB ports on the desktops be glued shut, or ??
I'm sure that in many cases, these guys get paid handsomely to secure things, but once they've implemented all the ideas they can come up with -- they have a lot of time on their hands, just checking log files or doing the occasional audits of what's already supposed to be in place. It makes sense to utilize them to do more of the "day to day support" stuff, so you're not paying them to sit on their hands waiting for the next big malware outbreak or suspected hack to come along.
Too much salt in your diet?
"Hey IT, can you fix my outlook? It's not working."
"Sure"
"Hey IT, can you fix my chair? It's not working."
"sure"
"Hey IT, can you fix my fridge? It's not working."
"err...sure"
"Hey IT, can you fix my A/C? It's not working."
"Just to say, I'm not the guy that fixes A/C."
"Can you also fix my fan? It's not working."
"...sure"
Why don't these people ask their co-workers to fix their cars for them? How about their busted TV?
As someone who taught corporate level security classes, who is now in corporate security offices going around helping other businesses and use to be a system admin security people are some of the worst technical people around excluding end users.
The reason they are doing outside work is because under normal circumstances most of them are doing nothing. Most are so tech ignorant that they just watch their tools for alerts but don't have the skills needed to set them up for much more than what ships with the tools. So you have people sitting around the technical area of the business people see them and ask them to do stuff.
newsflash: AVAILABILTY is one of the tenets of infosec.
Cry me a fucking river. Jesus H. Christ on a bicycle who doesn't spend an hour a week dealing with shit that isn't ultimately their problem? If something that's not my problem is fucked up, it's in the company's best interest for it to be right and it's faster for me to deal with it than to bitch about it and throw somebody else under the bus who probably just made an honest mistake then I'll just take care of it.
You're talking about 2.5% of your time if you spend 1 hour on it in a 40 hour work week. Most "security professionals" probably spend way more time making coffee, talking to co-workers for no productive reason or using the restroom than they spend on "other IT issues".
I spend about 20% of my time debunking their bogus vulnerability reports.
So it all works out.
High quality, low quality.
In retail Loss Prevention you see LP "detectives" doing the jobs no one else wants to like locking/unlocking doors, wiping up spills, and being relegated to being the sole proprietors of anything related to safety when all of these are more Operational than Security.
You can not provide security and overwatch when you are constantly putting your security team on these tasks.
In LP we did "new-hire orientations" to educate employees on things that were our focus. Not only did this provide a "scared straight" anti-theft, pro-safety benefit, but it placed us in the position of defining our role, and refocusing us so that we did not get caught up in tasks that were relegated to us by people who did not understand what we do.
Education, and essentially being a cheerleader for security, is the key. This has to be presented CONSTANTLY in a way that people are engaged, and so that you are not seen as the boy who cried wolf.
Catatonic
He drained one swamp to get his swamp even larger.
Now it's a gamble over how long he will be in office.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Dear brilliant managers, Please do forbid your valued security specialists to talk with those abusive colleagues. Let them handle the problems themselves! *Then* calculate your losses, you, mediocre condescendent a-holes! People are not robots, you know, they interact and even help each other!
I don't know anyone in IT who doesn't have to spend a little time here and there working on stuff that is outside their job descriptions. What makes them special, just because they work on network security?
I think you're spot on.
I think one reason the security people are getting dragged into ordinary problem solving is that ordinary support people are running into end-user problems that are *caused* by security configurations that support can't change.
I think a lot of security people want to sit in the back room and implement a bunch of security changes without consideration of what breaks or how it effects end users. It may be the "right" thing to do, but they don't care about the side effects.
and sometimes I end up wasting upwards of half my time not programming, and nobody seems to care!
In fact, clients often specifically tell me to not to mention the problems I run into that prevent me from doing my job.
I just can't believe these people are going to get their panties in a bunch over security professionals losing an hour a week here and there.
First off on the topic, I don't think it is all that surprising, but would add that it isn't just "Security staff", but essentially all IT staff not in a direct support roll. It happens to me all the time, and for the most part I'm happy to oblige if I can. It only becomes annoying when I have other priorities or pressures, and so-and-so wanders by and wants me to figure out his printer problem or something when I should be testing a corporate application for bugs on a deadline.
Second I do have a limited support role for some specific applications, and as a result I submit a LOT of tickets. Not only because I need to for myself in a development capacity, but also on behalf of some users with certain problems. Anyway as you call it "pass the buck", I typically refer to it as the "blame game", it is easily the number one thing that makes things take about 10,000% longer than they should, but also ends up with a lot of "resolved" tickets for unresolved problems.
One in particular I had this year (and indeed I went through the whole BS process last year with a similar result), was essentially complaining about the testing environment for a particular application we're doing development on. Under a lot of pressure to test the bejuses out of it to ensure nothing gets into production, however this is "challenging" by the fact that the environment runs about 25 times slower. So a test query that might take 7 seconds on DEV or on PROD takes about 3 MINUTES on the stupid testing rig. Now multiply that by hundreds of test cases. It is absolutely brutal, and testing certain things becomes very difficult if not even very reasonable to do within the time frames of the project. Anyway I have no idea why it is so slow, and as mentioned, it has been this way for awhile now. It isn't like it is 25% slower or something like that, the difference is astounding and hard to simply say attribute to only old hardware or something. Also for reference, this is an older legacy system, which should probably run pretty good on just about anything seeing as it was designed to initially run on hardware from the 1990's...
Anyway so after I get thoroughly frustrated, I decide to give it a try to get someone to do something about it. So I start the whole process as I am required to do with a stupid IT help desk ticket... First it is required to get escalated a bit, as it isn't something one of their first line staff is used to dealing with. Then the blame game starts. The data centre hardware guys blame the application and the code, who blame the DBA's and the DB structure, who blame the network people, who blame the security people, who blame the middleware folks, who blame the vendors of VM, who blame the hardware, who blame the DB optimization, who blame... etc... What basically happens at each juncture a bunch of emails are flying around, I'm usually called to do performance testing and testing and testing at each point (all of which ends up being exactly the same), the ticket itself gets "resolved" and "re-opened" multiple times because some group decides that they are done, and it just continues and goes on, and eventually in the end nothing actually happens. Which at a certain point I just make sure my management is aware of the issue, and the fact that I can only reasonably test to a certain point given the circumstances, that all the various IT parties have been made aware of the issue, did nothing, and as such are willing to accept the risk, that should something get into a production setting that I couldn't test for, the blame for that falls directly on the low performance of the environment and the lack of support that it has... Bitter much I know. Anyway I know I will run into this again next year, and the year after that, etc... until they probably replace everything and start anew with a different configuration.
Another issue other than the blame game is "partial" tickets, where part of a ticket will get done (say installing some software), but the second part of the ticket (say creating a user account) doesn't.
So the 100k security guy is spending 10% of his time doing something that the 100K admin is supposed to be doing. Sad!
love is just extroverted narcissism
At my company most of the problems are caused by security related policies or software! Be it DLP, Host Antivirus, SSL interception or stupid proxy policies... most of the problem come from the security team.
Tell me more about how to "flay [...] the heads of MBA morons"!
Seriously, the OP suffers from tunnel vision. It's also elitist.
Here is the reality I've found in my career:
1). The users don't care how their problems get solved;
2). The users will take the path of least resistance and do the easiest thing;
3). Problems need to be solved and the organization will pay, regardless. The biggest issue here is, what is the opportunity cost for having IT InfoSec doing it?
4). What is stopping IT InfoSec from referring the user to the Help Desk or other standard support avenue?
5). Most IT people, who aren't too busy and aren't dickheads, will offer to help a user, even outside of their normal duties. It's good corporate relations and rewarding for the IT analysts personally too;
Long and short, IT InfoSec can stop this if it is a problem. Seems like they don't consider it to be a problem, at least not a big enough one to invest in fixing it. Or possibly, it's one of those "hills they don't want to die on," which is an equally valid reason to not invest in it.