Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Why Upper Management Doesn't "Get" IT Security 126

Posted by ScuttleMonkey
from the part-of-your-job-to-explain-it-in-their-terms dept.
Schneier is reporting that the Department of Homeland Security has decided to delve into why upper management doesn't "get" IT security threats. The results aren't terribly surprising to those in the trenches, stating that most executives view security as something akin to facilities management. "Thankfully", the $495 report (if you aren't a "Conference Board associate") helps tell you how to handle the situation.
This discussion has been archived. No new comments can be posted.

Why Upper Management Doesn't "Get" IT Security

Comments Filter:
  • by Anonymous Coward on Wednesday November 08, 2006 @02:17PM (#16772805)
    1) Explain the effects of a DOS attack by shutting off power to the beancounters' servers.

    2) Simulate the effects of spyware by displaying the contents of the PHB's um...photo collection along with his browsing history.

    3) Demonstrate the impact of weak passwords by logging in as the PHB and sending off a few colorful resignation letters to the CEO on his behalf.

    4) Emphasize the importance of reliable nightly backups by indiscriminately doing rm -rf everywhere. (you ARE root, aren't you?)

    5) Using the custodian's account, log in and download the entire customer database into your ipod, load it onto an independent laptop, and use the data to e-mail oodles of spam.

    Or you can just tell them the risk factors in which case they'll just stand in front of the swiss cheese and sing of how all the holes are theoretical.
  • by Anon-Admin (443764) on Wednesday November 08, 2006 @03:04PM (#16773895) Homepage Journal
    since it does not generate any income.

    I really am a little tired of hearing how IT does note generate any income!
    Do the trucks you deliver your goods with "generate an income?"

    The 8 Accounting servers go down for 24 hours, 15 Accountants can not do there job.

    20 years ago the company had 50 Accountants doing the job that 15 now do with the aid of computers. I would see this as reducing company overhead and every time you reduce company overhead you increase profits thus providing an "Income."

    The 4 Authentication servers go down for 24 hours and 5,250 people can not do there jobs.

    5,250 people down for 24 hours (1 Day) is a lot of money (Millions) IT is generating an income by enabling everyone to do there job!

    Although IT does not directly generate an income for a company it does not mean that it is a loss. It does not mean that the company could live with out the services that IT provides.

    It is like saying the CEO, President, VP, etc do not generate an Income for the company and are just a big hole you through money into.

    As to the topic of security, my favorite line has been "We will not be implementing security on the accounting servers. We do not want to make an A+ on SOX, we want to make a D and just get by. An A+ would be too expensive."
  • Re:Does.... (Score:3, Funny)

    by diersing (679767) on Wednesday November 08, 2006 @04:15PM (#16775277)
    If only there where a set of colors we could code the threats by, then even the "upper" manager could understand.

You see but you do not observe. Sir Arthur Conan Doyle, in "The Memoirs of Sherlock Holmes"

Working...