83 Percent Of Security Staff Waste Time Fixing Other IT Problems

An anonymous reader shares a report: A new survey of security professionals reveals that 83 percent say colleagues in other departments turn to them to fix personal computer problems. The study by security management company FireMon shows a further 80 percent say this is taking up more than an hour of their working week, which in a year could equate to more than $88,000. For organizations, eight percent of professionals surveyed helping colleagues out five hours a week or more could be costing over $400,000. Organizations are potentially paying qualified security professionals salaries upwards of $100,000 a year and seeing up to 12.5 percent of that investment being spent on non-security related activities.

On what planet is this true:

[mykepredko]

"IT personnel are usually the helpful, go-to people for sorting out issues"?

If people are calling system security to help with computer issues that should be handled by the IT help desk then it's probably because:
1. The issues being reported appear to be security problems.
2. The IT helpdesk consists of condescending asshats which most employees avoid at all costs (based on my work experience, I bet this is the big reason).

More seriously, if security staff are only being called in on inappropriate calls that take up less time in a given week than they spend choosing what to put in their coffee; you've got a pretty efficient IT setup with very little to worry about.

Or you haven't gotten a clue as to what's going on and the North Koreans are actually running your business.

Coffee breaks?

[richardellisjr]

And 90% spend 20 minutes a day getting coffee which requires an additional 20 minutes a day going to the bathroom. People spend time at work doing things other than what they are paid for, it's the nature of most jobs. Most companies accept this.

That time is not wasted

[gweihir]

It serves to establish and maintain closer relationships between users and IT security people, so that, you know, if a user has a suspicion of a security problem, they feel more confident and approach IT security staff earlier. But that idea flays wayyyyy above the heads of MBA morons.

Really?

[Picodon]

I don’t understand the math, here. The sourced “article” (it’s more of an advertorial, really) affirms:
- salaries upwards of $100,000 a year
- 80% say more than 1 hour per week, which could equate $88,000 per year.
- 8% say more than 5 hours per week, which could equate $400,000 per year.
- up to to 12.5% of investment squandered.

At the risk of making a fool out of myself:
- $100,000 per year is about $50 per hour, isn’t it?
- 80% staff spending 1 hour per week (50 hours per year) would then cost an average of $2000 per employee per year, not $88,000.
- 8% staff spending 5 hours per week (250 hours per year) would then cost an average of $1000 per employee per year, not $400,000.
- 8% staff spending 5 hours per week (12.5% of the work week) and the remaining 72% spending 1 hour per week (2.5% of the work week) would represent an average of 2.8% of investment squandered, not 12.5%.

Naturally, to measure the true loss, you’d also have to deduct the costs saved from not asking the regular IT staff to do the job, and also the gains obtained from the immediate increase in productivity resulting from the security staff’s intervention.

Of course, the article is thinly disguised advertisement for some “automation solutions available that help them keep their day-to-day work”, so accuracy may not be paramount, compared to shock value

It's generalist vs specialist

[davej]

Security people need to be on top of multiple fields. You can't be in IT security without knowing a lot about all the layers in system.

Specialist network techs look at a problem and push it to specialist server/desktop techs if it doesn't fit their view of a "network issue". The user gets bounced back and forth till they give up or figure it out themselves.

Take the problem direct to a security specialist and 9 times out of 10, they will be able to point directly to the root of the problem because they don't have tunnel vision. Word of mouth spreads the idea that "Fred in security will know how to fix that", rinse and repeat and you spend half your day on support issues.

It's human nature. And not necessarily a bad thing as as single call for help can lead to nipping a security issue in the bud..

More general training (and higher pay!) for help desk staff is the only real answer but people are locked into the idea that help desk are "ticket generators" rather than troubleshooters.