Why Upper Management Doesn't "Get" IT Security 126
Schneier is reporting that the Department of Homeland Security has decided to delve into why upper management doesn't "get" IT security threats. The results aren't terribly surprising to those in the trenches, stating that most executives view security as something akin to facilities management. "Thankfully", the $495 report (if you aren't a "Conference Board associate") helps tell you how to handle the situation.
because our auditors don't get it. (Score:5, Insightful)
Many of the upper management people I talk to know more about what we should be doing compared to what we are doing. The problem they have in overriding the auditors is the threat of the government and the shareholders. If they take the safe route the keep their jobs and stay out of jail. Actually the fear of the government is far worse that fearing the shareholders. (thanks to wonderful overreactions by Congress we get even more doing a whole lotta about nothing that ends up preventing us from doing what we should)
dumb morons of the 70's (Score:2, Insightful)
apparently customers dont want it (Score:2, Insightful)
People have shown a willingness to put up with insecure half ass reliable products
And yes, this must change.
Re:Does.... (Score:4, Insightful)
We, the taxpayers have paid for this paper, yet we also must pay for copies of the very document we paid for to begin with.
That's what I dont like. Akin to double-taxation.
(from the BuyMe screen liknked from schneider...)
survey by The Conference Board (sponsored by the U.S. Dept. of Homeland Security)
If upper management doesn't "get" IT security.. (Score:2, Insightful)
Not surprising... (Score:3, Insightful)
Bruce isn't in the business for giving out his top notch observations for free.
Are any of us?
I'd say it's a pretty lame attack to point out the cost as a negative. Just admit that you're not interested in his opinion and move on.
IT security sucks for this very single reason: It takes effort.
The solution? Demand effort.
Tom
Too rich for my blood. (Score:4, Insightful)
The general problem with IT. (Score:5, Insightful)
Its almost worth messing up from time to time just to show what would happen every day if you weren't there.
I can tell you for free (Score:2, Insightful)
The difference... (Score:3, Insightful)
Re:Computer people don't "get" business (Score:1, Insightful)
Don't get me wrong, I do think there's such a thing as overkill when it comes to security, but there are enough management types out there who don't pay much attention to it at all until AFTER some embarrassing "accident" happens.
There are a lot of departments out there that are wanting company resources, that's understandable. In the end, though, you'd probably agree that to most (if not all) businesses, the ultimate thing that brings in money are the customers. I'm just asking the powers-that-be to ensure that the customers feel comfortable trusting us with their data.
The approach I keep hearing about (Score:5, Insightful)
Instead, calculate the cost of a breach. Then walk up the chain of command with the message "Like any risk, we can avoid it, mitigate it, transfer it to an insurance company, or accept it. If you do nothing you're accepting it. If you accept it then on the day a breach happens you will spend eleventy thousand dollars of company money. Do you have signing authority for eleventy thousand? If yes, here's the cost of a couple of mitigation options, and you're the boss. If no, you understand that I'm only going over your head because the decision has to be made at that level."
Re:The general problem with IT. (Score:2, Insightful)
Yeah. And how about the janitors? Maintenance people? Trucking people? Accounting people? Shipping people? People in manufacturing? IT is just one part of a massive support staff that it takes to run any business.
I'm sorry to break the news that IT isn't necessarily any more important than the people that make sure that the toilets flush and the power bills are paid. Actually, as a business owner, if I had a fixed amount of money and had to decide to spend it on either A. A plumber, B. More help on the loading dock, or C. IT, I gotta say that C would be last on my list. Sorry guys. I can run my business with somewhat broken computers. I can't run it with no toilets and nobody to receive the inventory.
Re:Computer people don't "get" business (Score:3, Insightful)
Too many IT guys present proposals like
"We need the ACME 3000 discombobulator to prevent DOR attacks,with a TOC of only $30,000".
Instead we sould be saying
"Mr Rumsfeld these Denail Of Reality attacks may cost you
8% points at the polls we could prevent them for only $300,000".
See how much better it sounds.
Buy the "The Bullshit proposal language" (The boy cow book) from O'Really tommorow.
Re:Computer people don't "get" business (Score:3, Insightful)
Unless you have valuable products you are storing, most places' physical security begins and ends with deterrent and auditing. It's cheaper to put a single lock on the door and an alarm system that logs off site than it is to put in reinforced glass with bars and magnetic locks.
This is not the point of view you want to take with data security, which is the "product" that you are trying to protect.
Re:Computer people don't "get" business (Score:5, Insightful)
Forget the $495, I'll tell you for free. You want a better chance at the funding, make the upward ladder understand the detrimental effect to the company and their profit if the the security is not in place. That means that you need to find the person in your group who can deliver the message in a nice brief way, using nice simple language that management understands, make sure you have urgency statements in the presentation, but don't be sensationalist, and the selling point is an assessment of the cost impact. The cost of developing security, verses loss of [fill in the blank]. And expect to get the funding in stages, in fact if you present a staged funding plan, it'll probably go down a lot better. Always remember, you don't hold the purse strings and those that do dislike being patronized or being made to look stupid (even though they may be).
Be glad they don't get it (Score:5, Insightful)
IT stuff is voodoo to most upper management, and I'm convinced IT shops get away with things they never would if the upper management understood IT as well as they understand, say, supply. I was upper management in two government organizations heavily dependent on IT. As a fairly competent computer user who likes to keep up with current events, I fought with our IT folks endlessly -- at least the management.
The first problem is IT quickly forgets that -- like everybody else except the people actually doing the core functions of the organization -- they are a support organization, not a control organization. They latch on to their ability to throw out security and voodoo computer terms to persuade the upper management to let them set policies. Upper management doesn't understand the policies at all, and often has no choice but to side with the IT pros no matter what the actual users want or need. As often as not, they then set policies that are purely for their convenience (for instance, wanting to standardize on Windows and a strict set of programs even though they support 25 or 30 different sections, some of which have been doing things like digital photography, desktop publishing and design on Macs for years). From the users' perspectives, IT makes using the actual IT resources as painful as possible to make their lives as simple as possible, and the fact that they're hampering actual mission accomplishment doesn't bother them.
Next, they have a sweet deal going where they set a bunch of standards that require certain certifications or skills, so they hire people who perpetuate those standards, and only buy things that are compatible with those standards. This then requires getting on an endless treadmill of more training, more personnel, more software, more hardware, etc. And all the while they make it clear that it's lunacy to buy anything that doesn't have vendor support because if it actually breaks they can't be expected to get it going again using only the training, hardware, software and people that they have brow beat management into paying for using money that *every other part of the organization* was crying for and could have put to good use, too.
Lastly, on a day-to-day basis, far too many of them think that, because they're IT, it's their right to be arrogant, socially or organizationally inept, or just plain weird -- and sometimes it's a combination, so you get a organizationally inept weird guy being arrogant. How many of those does it take to ruin a shop's reputation? (IT certainly has no corner on that market, I'll grant you).
I could go on here, but I'm sure I've pissed off enough people already. I came from the internal communications side of things -- journalism and later PR. In my field management always thinks they can do your job better than you can because, hey, it's just writing and talking. Eventually, I got promoted into management and in dealing with IT I saw that their best defense is that almost nobody in a position of leadership (being mostly older guys, half of whom had never launched a program that wasn't sold by Microsoft) understood what they hell IT did or what it took to get it done. So all it took was a good talker or somebody who learned to cite vague security mandates from higher headquarters to get much more of what they wanted than anybody else did.
Of course, it also left IT open to being weaker when their leadership was weaker (or less smooth). But I didn't run into that. I ran into IT shops that got more of their resource requests approved than anybody else, but didn't really realize it and kept whining for more even though their support curiously never got better no matter how much you spent on them. And for every new capability you read about on Slashdot, they came up with two new security policies that made using it impossible.
Now I'm back in the trenches and don't get to go to the meetings where the IT guys try to talk the boss into banning the USB drives everybody has taken to using because the e-mail
Shouldn't do that, either. (Score:5, Insightful)
Sounds like a damn fine reason not to give people grants to write books then, unless they want to do so as U.S. Government employees, and allow the book to be a product of the United States Government (with their name on it, of course), and therefore in the Public Domain.
If public money is being used to fund the creation of something, the end product of that creation ought to be freely available to the public.
Do you think people would be quite so keen on funding the Smithsonian Institutions, if they charged admission fees? Probably not. I don't have any problem with the Smithsonian being publicly funded, in fact I think it's great; but making things halfway-publicly funded is just crappy, and generally gets the taxpayer less "bang for their buck" than if they just went all-in on half the number of projects, but funded them completely and 'owned' the results for the public, therefore making them free for anyone to enjoy.