Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Why Upper Management Doesn't "Get" IT Security 126 126

Schneier is reporting that the Department of Homeland Security has decided to delve into why upper management doesn't "get" IT security threats. The results aren't terribly surprising to those in the trenches, stating that most executives view security as something akin to facilities management. "Thankfully", the $495 report (if you aren't a "Conference Board associate") helps tell you how to handle the situation.
This discussion has been archived. No new comments can be posted.

Why Upper Management Doesn't "Get" IT Security

Comments Filter:
  • Not that hard (Score:5, Informative)

    by bhmit1 (2270) on Wednesday November 08, 2006 @03:14PM (#16772743) Homepage
    From the part-of-your-job-to-explain-it-in-their-terms dept.

    Lets try this. When you forget to lock your Lexus and it's not there when you are ready to go golfing, that sucks. Almost as much as when you go to use the server and some hackers are using it to joy ride the net and sell all your customer records while you are liable. But unlike the car, where you can buy a new one, it's a pain in the ass to buy a new company image.
  • Re:Not surprising... (Score:1, Informative)

    by Anonymous Coward on Wednesday November 08, 2006 @03:46PM (#16773489)
    "Thankfully", the $495 report (if you aren't a "Conference Board associate") helps tell you how to handle the situation.p Bruce isn't in the business for giving out his top notch observations for free. Erm, the report is not Bruce's; it's from a consulting co. hired by DHS: http://www.conference-board.org/publications/descr ibe.cfm?id=1231 [conference-board.org] Navigating Risk -- The Business Case for Security Author: Thomas E. Cavanagh Publication Date: October 2006 Report Number: R-1395-06-RR This report details the results of a survey by The Conference Board (sponsored by the U.S. Dept. of Homeland Security) of 213 senior corporate executives working for a broad range of companies. Results show the importance of managing and mitigating risk in making the business case for security. Companies that have the most to lose, tend to be the companies that are most willing to invest in security. These companies include those in critical infrastructure industries, large corporations, multinationals with global operations, and publicly traded companies. Topics Covered: * Alignment with Business Objectives * Risk-Related Metrics * Different Metrics for Different Industries * Involvement in Security Activities * Access to Senior Management * Influence vs. Support in Security Decision-Making * Security, Risk and Competitive Advantage * Certification Standards and the Loss of Business * Putting a Limit on Security Spending
  • by Fulcrum of Evil (560260) on Wednesday November 08, 2006 @04:02PM (#16773847)

    Unless the company makes security software or hardware, it IS an expense. Computer security should be handled with the same priority as physical security (keeping facilities secure) and basic infrastructure (power, water, telephone, etc.).

    Yeah, it's absolutely vital, and the results of a breach can be devastating.

    Any CEO that spends an inordinate amount of time on computer security will, and should be fired.

    Maybe this should be handled by the CTO or someone he manages? CEOs do vision, not operations (except when that messes with the vision).

  • Re:Does.... (Score:3, Informative)

    by larkost (79011) on Wednesday November 08, 2006 @05:36PM (#16775659)
    You missed the point that the creation of the report (costs of writing it) might not have been completly covered by the grant. In fact it was probably put forward as a proposal this way: the govenment agency wanted a study done, and rather than paying a company the full price to do the work, they payed them half (or some other fraction), but at the end of the job the company gets to re-sell the report.

    For the govenment department it costs less for the report they wanted. So they saved the taxpayers money.

It is much easier to suggest solutions when you know nothing about the problem.

Working...