Why Upper Management Doesn't "Get" IT Security 126
Schneier is reporting that the Department of Homeland Security has decided to delve into why upper management doesn't "get" IT security threats. The results aren't terribly surprising to those in the trenches, stating that most executives view security as something akin to facilities management. "Thankfully", the $495 report (if you aren't a "Conference Board associate") helps tell you how to handle the situation.
The BOFH Approach (Score:5, Funny)
2) Simulate the effects of spyware by displaying the contents of the PHB's um...photo collection along with his browsing history.
3) Demonstrate the impact of weak passwords by logging in as the PHB and sending off a few colorful resignation letters to the CEO on his behalf.
4) Emphasize the importance of reliable nightly backups by indiscriminately doing rm -rf everywhere. (you ARE root, aren't you?)
5) Using the custodian's account, log in and download the entire customer database into your ipod, load it onto an independent laptop, and use the data to e-mail oodles of spam.
Or you can just tell them the risk factors in which case they'll just stand in front of the swiss cheese and sing of how all the holes are theoretical.
Re:Computer people don't "get" business (Score:5, Funny)
I really am a little tired of hearing how IT does note generate any income!
Do the trucks you deliver your goods with "generate an income?"
The 8 Accounting servers go down for 24 hours, 15 Accountants can not do there job.
20 years ago the company had 50 Accountants doing the job that 15 now do with the aid of computers. I would see this as reducing company overhead and every time you reduce company overhead you increase profits thus providing an "Income."
The 4 Authentication servers go down for 24 hours and 5,250 people can not do there jobs.
5,250 people down for 24 hours (1 Day) is a lot of money (Millions) IT is generating an income by enabling everyone to do there job!
Although IT does not directly generate an income for a company it does not mean that it is a loss. It does not mean that the company could live with out the services that IT provides.
It is like saying the CEO, President, VP, etc do not generate an Income for the company and are just a big hole you through money into.
As to the topic of security, my favorite line has been "We will not be implementing security on the accounting servers. We do not want to make an A+ on SOX, we want to make a D and just get by. An A+ would be too expensive."
Re:Does.... (Score:3, Funny)