Slashdot Mirror
83 Percent Of Security Staff Waste Time Fixing Other IT Problems (betanews.com)
An anonymous reader shares a report: A new survey of security professionals reveals that 83 percent say colleagues in other departments turn to them to fix personal computer problems. The study by security management company FireMon shows a further 80 percent say this is taking up more than an hour of their working week, which in a year could equate to more than $88,000. For organizations, eight percent of professionals surveyed helping colleagues out five hours a week or more could be costing over $400,000. Organizations are potentially paying qualified security professionals salaries upwards of $100,000 a year and seeing up to 12.5 percent of that investment being spent on non-security related activities.
"IT personnel are usually the helpful, go-to people for sorting out issues"?
If people are calling system security to help with computer issues that should be handled by the IT help desk then it's probably because:
1. The issues being reported appear to be security problems.
2. The IT helpdesk consists of condescending asshats which most employees avoid at all costs (based on my work experience, I bet this is the big reason).
More seriously, if security staff are only being called in on inappropriate calls that take up less time in a given week than they spend choosing what to put in their coffee; you've got a pretty efficient IT setup with very little to worry about.
Or you haven't gotten a clue as to what's going on and the North Koreans are actually running your business.
Mimetics Inc. Twitter
And 90% spend 20 minutes a day getting coffee which requires an additional 20 minutes a day going to the bathroom. People spend time at work doing things other than what they are paid for, it's the nature of most jobs. Most companies accept this.
It is only possible to prove the correctness of programs that are purely functional. Today's software is not written like that. Besides, it is easy to blame the programmers on not getting it right the first time. That's like blaming the first steam engines on not being as effective as the latest steam turbines. There is heavy pressure on getting to market fast. Oh boy if I had the time to perfect every line of code I wrote. I would write the best code.
It serves to establish and maintain closer relationships between users and IT security people, so that, you know, if a user has a suspicion of a security problem, they feel more confident and approach IT security staff earlier. But that idea flays wayyyyy above the heads of MBA morons.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Actually, they are not "sloppy" and "lazy". They are the cheapest "coders" the MBA-morons in charge could find. They could do a better job if their life depended on it. Alternatively, coders that do have it and can do it (a minority) are not given enough time to clean up and fix remaining issues, because said MBA-morons think "it works". I have learned to not give them anything that has the complete functionality before all other aspects are fine. Otherwise they declare the prototype "ready for production" and that is not good at all.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1) The help desk won't tell the user they don't know how to do their job (and usually the user is so bad at describing the issue they probably haven't had a chance to figure out it's a PEBKAC issue) so they dispatch desktop support.
2) Desktop support doesn't understand what's happening and doesn't communicate well with the user to get the details required to figure it out, so they blame network (security/policy/site connectivity/whatever).
3) The network tech stops what they're doing to prove it's a desktop issue so they can push the job back down the chain.
4) The desktop guys figure out the user is improperly trained - sometimes they're just clueless, sometimes there's a change and their department didn't do the training... or even a simple notification.
That describes 80% of the tickets I am aware of in our organization. Sometimes it bounces back and forth between steps 2 and 3 a couple of times, to the user's frustration and the discredit of the IT department. The important thing is that I am neither tier 1 support nor a network guy, so I can mostly sit to the side and look down disdainfully at the whole farce without actually having to do something about it.
Rice's theorem hates your guts.
But my Dell cup holder is still broken!
I don’t understand the math, here. The sourced “article” (it’s more of an advertorial, really) affirms:
- salaries upwards of $100,000 a year
- 80% say more than 1 hour per week, which could equate $88,000 per year.
- 8% say more than 5 hours per week, which could equate $400,000 per year.
- up to to 12.5% of investment squandered.
At the risk of making a fool out of myself:
- $100,000 per year is about $50 per hour, isn’t it?
- 80% staff spending 1 hour per week (50 hours per year) would then cost an average of $2000 per employee per year, not $88,000.
- 8% staff spending 5 hours per week (250 hours per year) would then cost an average of $1000 per employee per year, not $400,000.
- 8% staff spending 5 hours per week (12.5% of the work week) and the remaining 72% spending 1 hour per week (2.5% of the work week) would represent an average of 2.8% of investment squandered, not 12.5%.
Naturally, to measure the true loss, you’d also have to deduct the costs saved from not asking the regular IT staff to do the job, and also the gains obtained from the immediate increase in productivity resulting from the security staff’s intervention.
Of course, the article is thinly disguised advertisement for some “automation solutions available that help them keep their day-to-day work”, so accuracy may not be paramount, compared to shock value
>I tell people to call the help desk phone line
I tell them to email our automated ticketing system. It creates a ticket with the correct user information and doesn't require our help desk staff to waste any time interpreting what the user's trying to say... the user just types out what they will and can attach a screen shot.
Then the system does a keyword search and 99% of the time it will appropriately assign the ticket to the correct class of support personnel.
Then the help desk folks can ALSO spend more time on Slashdot.
Isn't it "1% of IT staff fixes 83% of problems"
Security people need to be on top of multiple fields. You can't be in IT security without knowing a lot about all the layers in system.
Specialist network techs look at a problem and push it to specialist server/desktop techs if it doesn't fit their view of a "network issue". The user gets bounced back and forth till they give up or figure it out themselves.
Take the problem direct to a security specialist and 9 times out of 10, they will be able to point directly to the root of the problem because they don't have tunnel vision. Word of mouth spreads the idea that "Fred in security will know how to fix that", rinse and repeat and you spend half your day on support issues.
It's human nature. And not necessarily a bad thing as as single call for help can lead to nipping a security issue in the bud..
More general training (and higher pay!) for help desk staff is the only real answer but people are locked into the idea that help desk are "ticket generators" rather than troubleshooters.
(as long as it is legal).
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
I want to know my employer is getting value for the money they pay me.
If I'm spending my time doing things we can employ someone on a third of my salary to do, I'm going to suggest we do exactly that. I have no shortage of high value activities to put my time into.
You appear to have no fucking clue whatsoever about the software creation process, its constraints and complications, and how fucking astonishing it is that things as complex as modern operating systems even fucking run, let alone work.
You want to mathematically prove 300GB of Windows source code? You go right ahead, then borrow a time machine so you can come back and tell us how it went, because by the time you've finished our grandchildren will all have died of old age.
Sure, blame the programmers.
You want a secure system? I can do that. I'll hit the big red fucking button on the data centre wall and all our data will be beautifully secure.
Strange, people I work with don't want that to happen. They would prefer to compromise security in order to achieve other outcomes.
That's got fuck all to do with programming. That's people, processes, stupidity, resource constraints and other factors that are so far beyond the control of programmers that blaming them is total idiocy.
Shit, you already know you shouldn't trust the software to be secure so what fucking difference does it make whether the programmer is any good anyway? Put the right mitigations in place and you'll survive a four year old jumping on the keyboard his parent left attached to your GIT repository.
Fucking security "professionals" need to learn how to do their fucking job, and that it doesn't include blaming every other cunt for their own failings.
How about starting with not appointing idiots with zero knowledge about code as their bosses, and not letting those zero-brain idiots set the milestones and delivery dates?
It is a little known fact that programmers don't really like to ship buggy, unstable and barely tested code. Most of them would just love to ship rock solid code that could even drink fruity drinks with little umbrellas because it's SO secure. But that takes time they don't get from their PHB morons.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
IT security is a huge problem because it has been ignored until the recent past. Only now that security breaches start to get expensive, especially in the light of ransomware attacks that now also start to hit big businesses (because until now, a security breach there only meant that your data gets stolen and your identity gets abused, who gives a fuck about that?), and also changes in laws that put the knife for security breaches right at the throats of C-Levels, they start to replace mental lull with operative hectic and realize that SOMETHING has to be done.
SOMETHING!
It's a great time to be security consultant, I tell you... Well, provided that you just want to make a ton of money and don't really care that you should actually tell your customer "You're fucked. Shoot yourself"...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
My experience doing I.T. for several mid-sized companies over the last 20 years is, none of them had big enough budgets to justify hiring dedicated "security" people. It's simply the best "bang for the buck" to hire a core group of a few I.T. "support people" who take care of servers, trouble tickets from users, and do some of the planning and upgrade projects.
When I've met "InfoSec" guys working for businesses similar to the ones I've worked for (perhaps a bit larger in size with larger budgets)? They typically come off as a bit arrogant. They like to spend a lot of time going around to other people in I.T., giving out their unsolicited advice on how something or other should be done, and do a lot of bending the ear of middle or upper management to get policies and procedures put in place to formalize their ideas.
Are they intelligent people who actually do have a lot of knowledge about securing a network? Yes! But they often fail to really grasp that security is always going to be a trade-off. The more you secure the environment, the less worker-friendly it becomes. The I.T. "generalists" who have been supporting networks, servers, workstations, and all the peripherals and software swirling around them often have an awareness that many of these recommendations for "better security" aren't being implemented. The InfoSec types become a bit like annoying flies or gnats that keep buzzing around your head while you're trying to work. They work against your own goal of improving efficiency and worker productivity with their demands that "everyone change their passwords every 14 days, using no less than X number of characters with upper and lowercase, plus at least 1 special symbol", or that all the USB ports on the desktops be glued shut, or ??
I'm sure that in many cases, these guys get paid handsomely to secure things, but once they've implemented all the ideas they can come up with -- they have a lot of time on their hands, just checking log files or doing the occasional audits of what's already supposed to be in place. It makes sense to utilize them to do more of the "day to day support" stuff, so you're not paying them to sit on their hands waiting for the next big malware outbreak or suspected hack to come along.
So that's why you were unemployed for two years!
Even if programmers always followed best practices, this would not eliminate vulnerabilities.
It's easiest to understand this through analogy. Your house has security vulnerabilities. A thief can kick in a door, or break a window, or just ring your doorbell pretending to be a neighbor. No matter how solid the construction, there's always a way in, given enough will and determination.
Code is no different. It's really just an arms race. You can fortify your code, but then so will the intruders.
If this is actually true...I never never met a person as altruistic as yourself.
It's a free country, live like you wanna live, but to me, I view work in a much more mercenary fashion. I want to get paid as much as possible, period...if they have me peeling potatoes for $100K+ a year, I'm happy to do it, and hope then never find anyone willing to do it cheaper.
The *only* reason i work..is to make enough money to allow me to live the lifestyle that makes me happy. If I won the lottery tomorrow, I dunno if I'd even bother telling them I wasn't coming back....ok maybe I would, I'm not that cold...but I certainly would never "work" again.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Right - pray for it. It's not because it's a disgusting, abhorrent thing that brutalizes and damages innocent children - it's just a SUPER inconvenient thing to have to deal with making a couple legal statements and filing a report.
If it was a "SUPER inconvenient thing", the easiest course of action would be to do nothing.
You might even have to miss your lunch for a day or two.
My coworker reported the filenames he came across while transferring data between systems. He never looked at the images. He only had the log file from the data transfer. It was the IT manager and security chief's job to make the determination and confiscate the system.
Do you ever think before you post?
Yes, I do. Your knee-jerk hostility towards me is misplaced.
All child pornography reports are fake. Someone just wanted an excuse for a witch hunt.
The user was never told why security confiscated his system. He was offered a replacement system but kept insisting on getting back his old system. He behaved like a lunatic for three days, throwing away whatever professional reputation he had. An innocent person would have accepted a replacement system and continued on working.
That's a shame, but you do realise plenty of people take pride in their skills and get satisfaction from being useful and good at something?
and sometimes I end up wasting upwards of half my time not programming, and nobody seems to care!
In fact, clients often specifically tell me to not to mention the problems I run into that prevent me from doing my job.
I just can't believe these people are going to get their panties in a bunch over security professionals losing an hour a week here and there.