83 Percent Of Security Staff Waste Time Fixing Other IT Problems

An anonymous reader shares a report: A new survey of security professionals reveals that 83 percent say colleagues in other departments turn to them to fix personal computer problems. The study by security management company FireMon shows a further 80 percent say this is taking up more than an hour of their working week, which in a year could equate to more than $88,000. For organizations, eight percent of professionals surveyed helping colleagues out five hours a week or more could be costing over $400,000. Organizations are potentially paying qualified security professionals salaries upwards of $100,000 a year and seeing up to 12.5 percent of that investment being spent on non-security related activities.

On what planet is this true:

[mykepredko]

"IT personnel are usually the helpful, go-to people for sorting out issues"?

If people are calling system security to help with computer issues that should be handled by the IT help desk then it's probably because:
1. The issues being reported appear to be security problems.
2. The IT helpdesk consists of condescending asshats which most employees avoid at all costs (based on my work experience, I bet this is the big reason).

More seriously, if security staff are only being called in on inappropriate calls that take up less time in a given week than they spend choosing what to put in their coffee; you've got a pretty efficient IT setup with very little to worry about.

Or you haven't gotten a clue as to what's going on and the North Koreans are actually running your business.

Coffee breaks?

[richardellisjr]

And 90% spend 20 minutes a day getting coffee which requires an additional 20 minutes a day going to the bathroom. People spend time at work doing things other than what they are paid for, it's the nature of most jobs. Most companies accept this.

Re:It wouldn't be a problem if...

[gweihir]

Actually, they are not "sloppy" and "lazy". They are the cheapest "coders" the MBA-morons in charge could find. They could do a better job if their life depended on it. Alternatively, coders that do have it and can do it (a minority) are not given enough time to clean up and fix remaining issues, because said MBA-morons think "it works". I have learned to not give them anything that has the complete functionality before all other aspects are fine. Otherwise they declare the prototype "ready for production" and that is not good at all.

It's a chain of 'pass the buck'

[Baron_Yam]

1) The help desk won't tell the user they don't know how to do their job (and usually the user is so bad at describing the issue they probably haven't had a chance to figure out it's a PEBKAC issue) so they dispatch desktop support.

2) Desktop support doesn't understand what's happening and doesn't communicate well with the user to get the details required to figure it out, so they blame network (security/policy/site connectivity/whatever).

3) The network tech stops what they're doing to prove it's a desktop issue so they can push the job back down the chain.

4) The desktop guys figure out the user is improperly trained - sometimes they're just clueless, sometimes there's a change and their department didn't do the training... or even a simple notification.

That describes 80% of the tickets I am aware of in our organization. Sometimes it bounces back and forth between steps 2 and 3 a couple of times, to the user's frustration and the discredit of the IT department. The important thing is that I am neither tier 1 support nor a network guy, so I can mostly sit to the side and look down disdainfully at the whole farce without actually having to do something about it.

Really?

[Picodon]

I don’t understand the math, here. The sourced “article” (it’s more of an advertorial, really) affirms:
- salaries upwards of $100,000 a year
- 80% say more than 1 hour per week, which could equate $88,000 per year.
- 8% say more than 5 hours per week, which could equate $400,000 per year.
- up to to 12.5% of investment squandered.

At the risk of making a fool out of myself:
- $100,000 per year is about $50 per hour, isn’t it?
- 80% staff spending 1 hour per week (50 hours per year) would then cost an average of $2000 per employee per year, not $88,000.
- 8% staff spending 5 hours per week (250 hours per year) would then cost an average of $1000 per employee per year, not $400,000.
- 8% staff spending 5 hours per week (12.5% of the work week) and the remaining 72% spending 1 hour per week (2.5% of the work week) would represent an average of 2.8% of investment squandered, not 12.5%.

Naturally, to measure the true loss, you’d also have to deduct the costs saved from not asking the regular IT staff to do the job, and also the gains obtained from the immediate increase in productivity resulting from the security staff’s intervention.

Of course, the article is thinly disguised advertisement for some “automation solutions available that help them keep their day-to-day work”, so accuracy may not be paramount, compared to shock value

It's generalist vs specialist

[davej]

Security people need to be on top of multiple fields. You can't be in IT security without knowing a lot about all the layers in system.

Specialist network techs look at a problem and push it to specialist server/desktop techs if it doesn't fit their view of a "network issue". The user gets bounced back and forth till they give up or figure it out themselves.

Take the problem direct to a security specialist and 9 times out of 10, they will be able to point directly to the root of the problem because they don't have tunnel vision. Word of mouth spreads the idea that "Fred in security will know how to fix that", rinse and repeat and you spend half your day on support issues.

It's human nature. And not necessarily a bad thing as as single call for help can lead to nipping a security issue in the bud..

More general training (and higher pay!) for help desk staff is the only real answer but people are locked into the idea that help desk are "ticket generators" rather than troubleshooters.

Re:Who knew!!!

[cayenne8]

If someone is paying me $100K or more...what do I care what I do with my time for them...?

(as long as it is legal).

Re:It wouldn't be a problem if...

[Cederic]

You appear to have no fucking clue whatsoever about the software creation process, its constraints and complications, and how fucking astonishing it is that things as complex as modern operating systems even fucking run, let alone work.

You want to mathematically prove 300GB of Windows source code? You go right ahead, then borrow a time machine so you can come back and tell us how it went, because by the time you've finished our grandchildren will all have died of old age.

Re:It wouldn't be a problem if...

[Cederic]

Sure, blame the programmers.

You want a secure system? I can do that. I'll hit the big red fucking button on the data centre wall and all our data will be beautifully secure.

Strange, people I work with don't want that to happen. They would prefer to compromise security in order to achieve other outcomes.

That's got fuck all to do with programming. That's people, processes, stupidity, resource constraints and other factors that are so far beyond the control of programmers that blaming them is total idiocy.

Shit, you already know you shouldn't trust the software to be secure so what fucking difference does it make whether the programmer is any good anyway? Put the right mitigations in place and you'll survive a four year old jumping on the keyboard his parent left attached to your GIT repository.

Fucking security "professionals" need to learn how to do their fucking job, and that it doesn't include blaming every other cunt for their own failings.

Re:It wouldn't be a problem if...

[Opportunist]

How about starting with not appointing idiots with zero knowledge about code as their bosses, and not letting those zero-brain idiots set the milestones and delivery dates?

It is a little known fact that programmers don't really like to ship buggy, unstable and barely tested code. Most of them would just love to ship rock solid code that could even drink fruity drinks with little umbrellas because it's SO secure. But that takes time they don't get from their PHB morons.

Re: Who knew!!!

That's a shame, but you do realise plenty of people take pride in their skills and get satisfaction from being useful and good at something?