83 Percent Of Security Staff Waste Time Fixing Other IT Problems

An anonymous reader shares a report: A new survey of security professionals reveals that 83 percent say colleagues in other departments turn to them to fix personal computer problems. The study by security management company FireMon shows a further 80 percent say this is taking up more than an hour of their working week, which in a year could equate to more than $88,000. For organizations, eight percent of professionals surveyed helping colleagues out five hours a week or more could be costing over $400,000. Organizations are potentially paying qualified security professionals salaries upwards of $100,000 a year and seeing up to 12.5 percent of that investment being spent on non-security related activities.

Re:It's a chain of 'pass the buck'

[DigiShaman]

*sigh*. Let me just say I've been doing helpdesk, server, and networking support for well over 20 years now. I will share with you some golden advice to teach any new helpdesk new hire. It's not technical, it's a frame of mind. Technical knowledge can be learned, but starting off with the right mindset pays off long-term!!

1. When an end user has a problem, it should always be assumed to be a perceived problem, and not the actual issue at hand. Sometimes you get luck and are talking with someone that knows how to communicate well; but always assume at first it's just perceived.

2. After making a determination as to where the problem actually is from the POV of the end-user, the next step involves defining the scope of the issue. This part is IMPORTANT. Having someone say "the network is down" doesn't mean jack shit if all others in the office are function just fine. It is imperative that the technician understand where the problem begin, and ends. Divide and conquer the scope until you have a definitive range to work with. It could be a switch, the desktop computer, or just isolated to that one users local profile.

3. After establishing the scope of problem, you now know what other departments this may or may not encompass. From this standpoint, you can execute against the problem with available resources.

I'm actually going to try to defend some of this..

[King_TJ]

My experience doing I.T. for several mid-sized companies over the last 20 years is, none of them had big enough budgets to justify hiring dedicated "security" people. It's simply the best "bang for the buck" to hire a core group of a few I.T. "support people" who take care of servers, trouble tickets from users, and do some of the planning and upgrade projects.

When I've met "InfoSec" guys working for businesses similar to the ones I've worked for (perhaps a bit larger in size with larger budgets)? They typically come off as a bit arrogant. They like to spend a lot of time going around to other people in I.T., giving out their unsolicited advice on how something or other should be done, and do a lot of bending the ear of middle or upper management to get policies and procedures put in place to formalize their ideas.

Are they intelligent people who actually do have a lot of knowledge about securing a network? Yes! But they often fail to really grasp that security is always going to be a trade-off. The more you secure the environment, the less worker-friendly it becomes. The I.T. "generalists" who have been supporting networks, servers, workstations, and all the peripherals and software swirling around them often have an awareness that many of these recommendations for "better security" aren't being implemented. The InfoSec types become a bit like annoying flies or gnats that keep buzzing around your head while you're trying to work. They work against your own goal of improving efficiency and worker productivity with their demands that "everyone change their passwords every 14 days, using no less than X number of characters with upper and lowercase, plus at least 1 special symbol", or that all the USB ports on the desktops be glued shut, or ??

I'm sure that in many cases, these guys get paid handsomely to secure things, but once they've implemented all the ideas they can come up with -- they have a lot of time on their hands, just checking log files or doing the occasional audits of what's already supposed to be in place. It makes sense to utilize them to do more of the "day to day support" stuff, so you're not paying them to sit on their hands waiting for the next big malware outbreak or suspected hack to come along.