Forgot your password?
typodupeerror

Why Upper Management Doesn't "Get" IT Security 126

Posted by ScuttleMonkey
from the part-of-your-job-to-explain-it-in-their-terms dept.
Schneier is reporting that the Department of Homeland Security has decided to delve into why upper management doesn't "get" IT security threats. The results aren't terribly surprising to those in the trenches, stating that most executives view security as something akin to facilities management. "Thankfully", the $495 report (if you aren't a "Conference Board associate") helps tell you how to handle the situation.
This discussion has been archived. No new comments can be posted.

Why Upper Management Doesn't "Get" IT Security

Comments Filter:
  • by NineNine (235196) on Wednesday November 08, 2006 @03:15PM (#16772767)
    Of course CEO's don't want to spend a lot of money and time on security. Unless the company makes security software or hardware, it IS an expense. Computer security should be handled with the same priority as physical security (keeping facilities secure) and basic infrastructure (power, water, telephone, etc.). Any CEO that spends an inordinate amount of time on computer security will, and should be fired. Just because you, as an IT person, spends all day reading about security threats, does not mean that upper management should do the same. A good top level manager understands priorities, and handles them accordingly. IT security should be handled as an absolute requirement to run the business (like power and water), but should be handled with the minimum possible expense, since it does not generate any income.

    As a manager, you have to understand that EVERYBODY is screaming at you about their particular area. The marketing people need a bigger budget. The maintenance people are wanting to upgrade this and that. The transportation people need new trucks. That's their job. It's a top manager's job to look at each of these recommendations, and prioritize them in a way that will do the best for the company.

    Seems to me like this blog entry is just another example of IT people being too myopic to get any real handle on how a business is run. In case anybody is scratching their heads as to why IT people rarely climb up the executive ranks to manage large companies, this example illustrates that reason very well. (Usually, in large companies, the people running the show are from marketing or finance. Occasionally operations. Never from IT.)
  • by Anonymous Coward on Wednesday November 08, 2006 @03:34PM (#16773185)
    How about the decision to buy the CTO a $34,000 Desk and office furniture? yet nix buying that new server that holds the critical finance data because "we cant afford it this year"?

    I dont get "them" because "They" are simply bullshitting everyone already.

    Sorry but no executive is worth what he/she get's paid... not for what I see they do for the company.
  • by CRMeatball (964998) on Wednesday November 08, 2006 @04:39PM (#16774563)
    I would have to agree that IT people are often too myopic for their own good. Perhaps this concept would make more sense if you realized that all the examples you cited reduced expenses and in no way created income. IT is a support system, period. Generating income means creating something new which can be sold, whether that is a tangible product or some service, which the CEO, VP and so forth are doing. They manage programs and make decisions which generate income. Yes they get paid a lot for it, but they just don't sit at their computers all day reading slashdot and complaining about how they get "ignored" by the people upstairs. Minimizing expenses is a wonderful thing, and needs to be explored, but sometimes this exploration reaches a point of diminishing returns. I currently run a project where, as the project manager, have to do all the IT work myself, and I am sure it costs us a lot of money. It would be great to get some IT people to work on the project, and it would save me money, but it will never generate income for the project. And if my infrastructure goes down, costing me millions, as mentioned in the parent, I am not going to think "If I had spent more money on IT, I would not be here right now." The thought going through my head is "Those IT guys are costing the company millions." Security is like insurance, you buy it based on how much risk you can and are willing to absorb. I don't buy my homeowners insurance based upon the most risk-free solution. It just costs to much, more than the value of what is being protected. The same is true for security. I could security which effectively guarantees my data is secure, but it would cost more than the value of the data it is protecting.
  • Well said! But: (Score:2, Interesting)

    by Anonymous Coward on Thursday November 09, 2006 @01:25AM (#16780741)
    Then there are the good IT departments that get ignored by management.

    For instance: The company I work for (and the reason I'm posting anonymously) is currently running our main website on a Windows server. From talking to our hosts, it seems that crypto is something the Windows world just doesn't do. By that I mean, we want to install new web software? (PHP stuff -- you know, new version of Drupal, Wordpress, whatever.) We can either pay them $75/hour or so, or do it ourselves, over FTP. Plain-fucking-text FTP.

    It's a small company, so it didn't work when I was the only one who said anything about it. Then I got someone else to say something about it, and now we're actually talking about possible solutions. It's still not a priority, which is kind of understandable. But when someone sniffs our FTP password -- hell, when they simply hijack our connection, casually, really -- they will have credit card numbers for all of our customers.

    Well said about the USB drives, but that is why I actually explain IT issues to management. I make it as simple as I just made it for you. It means I won't be able to arbitrate inane stuff simply to get more power, like you're describing -- in fact, I'm one of two people who work on a Mac; everyone else is on Windows, and I run some Linux servers to test on. But it also means that I will be able to get us the level of security we really need, and that's got nothing to do with a lust for power -- it's no skin off my back as it is, I can even mount it with curlftpfs for easy syncing of my test server to the live Windows server.

    Just realize: it goes both ways. Management should "get" IT, and keep them on a tight reign. But management should actually listen to IT. Unless I'm going to be fully autonomous, I'd much rather help my boss to "get" it, rather than simply figuring out the right concoction of buzzwords to stuff in his ear to get my way.

"In matrimony, to hesitate is sometimes to be saved." -- Butler

Working...