Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why Upper Management Doesn't "Get" IT Security

ScuttleMonkey posted more than 7 years ago | from the part-of-your-job-to-explain-it-in-their-terms dept.

126

Schneier is reporting that the Department of Homeland Security has decided to delve into why upper management doesn't "get" IT security threats. The results aren't terribly surprising to those in the trenches, stating that most executives view security as something akin to facilities management. "Thankfully", the $495 report (if you aren't a "Conference Board associate") helps tell you how to handle the situation.

cancel ×

126 comments

Sorry! There are no comments related to the filter you selected.

Does.... (1)

Creepy Crawler (680178) | more than 7 years ago | (#16772591)

Anybody know how to get this report for free?

For that matter, does anybody know how all the fire codes, building codes, and such are offered? They too cost in the hundreds of dollars, but they are obtainable for free. What happens is that the books are referenced in court documents, and those are to be made publicly. In essence, for free.

I wonder if the same could be done for this...

Re:Does.... (3, Insightful)

Creepy Crawler (680178) | more than 7 years ago | (#16772843)

I guess I should have explained.

We, the taxpayers have paid for this paper, yet we also must pay for copies of the very document we paid for to begin with.

That's what I dont like. Akin to double-taxation.

(from the BuyMe screen liknked from schneider...)

survey by The Conference Board (sponsored by the U.S. Dept. of Homeland Security)

Re:Does.... (1)

tomstdenis (446163) | more than 7 years ago | (#16773063)

How is that any different from getting a grant to write a book?

You still have to pay for the book, heck the Author even makes a profit off it!

Tom

Re:Does.... (0)

Anonymous Coward | more than 7 years ago | (#16773267)

Because the person who generated the report is salaried, and won't
make another penny from the report's sales.

The difference... (2, Insightful)

Original Replica (908688) | more than 7 years ago | (#16773371)

Given all that we have been asked to give up in the name of security, the fact that this isn't free shows once again that Homeland Security is about money and power, not the well being of the citizens. Yes there is some private sector company involved, but if Homeland Security pays for it, then it should be a study done for the sake of, maybe National Security. And if that is the case then it should be distributed for free. More likely the case, that company is receiveing a return on a political favor (campain contributions)

Re:The difference... (1)

tomstdenis (446163) | more than 7 years ago | (#16773445)

once again that Homeland Security is about money and power, not the well being of the citizens.

Hahahahaha cute. you thought the government was your representative. How naive, how cute...

In other news, taxation with representation, the new 2007 theme....

FDA approvals on medicines we actually need...

Welfare doled out in appropriate amounts with supervision...

Foreign policies that put you less at risk ...

Tom

Re:The difference... (1, Offtopic)

larkost (79011) | more than 7 years ago | (#16775375)

You think that the FDA should approve things simply based on the fact that people need them without considering whether or not they are actually safe?

The FDA will go through the process on anything that a company is willing to pay for the process on and is willing to go through all of the hassle of clinical trials. THe FDA does not decide what drugs are going to be put through the process, the drug companies do. In fact the FDA even has fast-track systems for things that are needed.

If the wrong things are comming to the system it is not the FDA at fault, but rather the drug companies chasing profit. (one could argue that that is what they are obliged to do as companies)

And what exactly would you consider the "appropriate ammounts" for welfare? I ask because that is not a trivial question. The fact that the current amounts are "wrong" is as much a function of there being no empirical way of determining the right amount as it is about disagreement about that amount.

But the foreign policy one I do agree with you on.

Re:The difference... (1)

rossifer (581396) | more than 7 years ago | (#16776741)

Foreign policies that put you less at risk ...
Clinton's been re-elected!! Holy crap! Why doesn't the BBC say anything about that?

Ross

grants and patents (0)

Anonymous Coward | more than 7 years ago | (#16776403)

I agree and say take it further. Anyone doing research using any public money, and then gets a patent from said research, should have that patent be public property for the use of US citizens and US-only corporations (no transnationals there). Enough's enough the tax payer funding private business, then have to pay twice on top of it.

Re:Does.... (3, Funny)

diersing (679767) | more than 7 years ago | (#16775277)

If only there where a set of colors we could code the threats by, then even the "upper" manager could understand.

Re:Does.... (0)

buswolley (591500) | more than 7 years ago | (#16774387)

Its quite possible that the grants that paid for the report didn't cover all the costs associated with creating and distributing the report. In effect the report is subsidized, but not completely funded. For example, mass transit services charege fare, but the fare rarely covers the entire cost of the transportation system; so it is subsidized/funded by the local/state/federal government. If we were to pay the actual fare needed to cover costs, the $1.50 bus ride would cost more like $4.00-$6.00.

Re:Does.... (0)

Anonymous Coward | more than 7 years ago | (#16775049)

When a bus ride can be delivered via the internet then your silly analogy might make some sense.

The report, paid for by tax payers should be freely distributed over the internet. There are dozens of sites (probably even /.) that would even fund the bandwidth costs for free.

Re:Does.... (2, Informative)

larkost (79011) | more than 7 years ago | (#16775659)

You missed the point that the creation of the report (costs of writing it) might not have been completly covered by the grant. In fact it was probably put forward as a proposal this way: the govenment agency wanted a study done, and rather than paying a company the full price to do the work, they payed them half (or some other fraction), but at the end of the job the company gets to re-sell the report.

For the govenment department it costs less for the report they wanted. So they saved the taxpayers money.

Re:Does.... (1)

buswolley (591500) | more than 7 years ago | (#16777037)

Thank you for defending my point, and interpreting it correctly.

Re: Not "Double Taxation" (1)

TaoPhoenix (980487) | more than 7 years ago | (#16776439)

I work with cost estimates daily, and I am the "detail guy" to make sure "both labor and materials" are covered in cost estimates. I haven't seen the detailed breakdown, but let's suppose "you the taxpayer" paid the labor charge for the X guys working on this thing.

Then when you want a copy, they Print On Demand your copy, which is essentially a Materials charge. Just because you are paying two SETS of dollars doesn't mean you're getting double charged.

In Canuckistan, we pay for building codes (1)

denis-The-menace (471988) | more than 7 years ago | (#16773609)

Re:In Canuckistan, we pay for building codes (1)

winnabago (949419) | more than 7 years ago | (#16774407)

Ah, but in Taxachusetts [mass.gov] , we don't.

Does....Utopialand exist? (0)

Anonymous Coward | more than 7 years ago | (#16774061)

"Anybody know how to get this report for free?"

Pay for it with a stolen credit card. I'm sure there's ALWAYS a way to avoid paying people for their work.

"For that matter, does anybody know how all the fire codes, building codes, and such are offered?"

Created by private organizations and others base their work around them. Yeah, I know. I wish everything was free too. But until that utopia comes around people have to be paid.

because our auditors don't get it. (4, Insightful)

Shivetya (243324) | more than 7 years ago | (#16772593)

Upper management would get it but they send the auditors to talk to middle management who doesn't get it. As such auditors decide that a company needs X because garbage in is garbage out.

Many of the upper management people I talk to know more about what we should be doing compared to what we are doing. The problem they have in overriding the auditors is the threat of the government and the shareholders. If they take the safe route the keep their jobs and stay out of jail. Actually the fear of the government is far worse that fearing the shareholders. (thanks to wonderful overreactions by Congress we get even more doing a whole lotta about nothing that ends up preventing us from doing what we should)

Re:because our auditors don't get it. (1)

Otter (3800) | more than 7 years ago | (#16772945)

...and the IT people don't get why adding more and more accounts with more complex, more frequently rotated passwords creates more problems than anything anyone in management does.

Re:because our auditors don't get it. (1)

Richard Steiner (1585) | more than 7 years ago | (#16774415)

The IT folks in the trenches certainly get it, but we typically don't set security policy. :-(

First woody! (-1, Offtopic)

TheManFromTheWoods (1024085) | more than 7 years ago | (#16772595)

a!

dumb morons of the 70's (2, Insightful)

thejrwr (1024073) | more than 7 years ago | (#16772647)

Most upper mangament in my view came into the field in the 70-80s and as long as it donst bother them, they dont care, so why should they care about IT in the first place! they think every thing will be fine as the IT sysadmin will take care of it

Re:dumb morons of the 70's (0)

Anonymous Coward | more than 7 years ago | (#16775633)

This report is ironic, considering that DHS uses Windows on their computers instead of more secure OSes.

That said, I also think that upper management does not "get" IT security because IT people themselves are not always trustworthy. Don't take this the wrong way, there are a lot of great IT people, but in my experience a lot of IT personels are concerned with their own priorities and self-interests. I recall a huge number of UNIX, Macs, Solaris etc. computers replaced with Windows 98 during the tech bubble of the late 1990's and the upper managements were dupped by their IT people into thinking that it was more secure, more easily maintained and cheaper to maintain. I think the situation now, though better, hasn't changed that much.

There are many PHB-type bosses out there. You can't do anything for them. They are hopeless. However, for the rest, IT people share the blame for misleading and selfish policies.

Not that hard (5, Informative)

bhmit1 (2270) | more than 7 years ago | (#16772743)

From the part-of-your-job-to-explain-it-in-their-terms dept.

Lets try this. When you forget to lock your Lexus and it's not there when you are ready to go golfing, that sucks. Almost as much as when you go to use the server and some hackers are using it to joy ride the net and sell all your customer records while you are liable. But unlike the car, where you can buy a new one, it's a pain in the ass to buy a new company image.

Re:Not that hard (1)

foobsr (693224) | more than 7 years ago | (#16773565)

to lock your Lexus

A Lexus? Sheesh.

CC.

Re:Not that hard (1)

hackstraw (262471) | more than 7 years ago | (#16774639)

Lets try this. When you forget to lock your Lexus and it's not there when you are ready to go golfing, that sucks. Almost as much as when you go to use the server and some hackers are using it to joy ride the net and sell all your customer records while you are liable. But unlike the car, where you can buy a new one, it's a pain in the ass to buy a new company image.

Actually, thats a great analogy.

We have transitioned from the industrial age to the information age, and the security will follow that transition.

Also, a clear explanation to give to upper management is that the attention and money spent on security should be proportional to the perceived value of that information and the desire to keep the information available for its users.

Fort Knox has an army base next door and pretty good security. My house has a simple lock that can be kicked in with minimal desire.

Re:Not that hard (1)

MrNougat (927651) | more than 7 years ago | (#16775863)

But unlike the car, where you can buy a new one, it's a pain in the ass to buy a new company image.


And while you're busy working to rebuild your company image, you're unable to spend as much time on generating revenue, and your stock price is falling.

That'll make sure the execs and board members get it, too.

one change... (1)

JimBobJoe (2758) | more than 7 years ago | (#16776941)

When you forget to lock your Lexus and it's not there when you are ready to go golfing, that sucks.

My only complaint about this analogy is that it blames hackers for the loss. I'd blame internal company employees, to make it both more realistic as well as highlight the complexities of IT security that make it different from facilities management.

Re:one change... (1)

dave562 (969951) | more than 7 years ago | (#16777497)

I'd blame internal company employees, to make it both more realistic as well as highlight the complexities of IT security that make it different from facilities management.

That's a very good point. I'm not worried about someone external to the company breaking into my network. With all of the firewalls, IDS', multiple levels of anti-virus scanning and web filtering taking place, the odds of malicious code getting in are pretty slim. My biggest concern is the recently fired employee, or the better than thou Mac user in the design department who would love nothing more than to see the network crumble. Those are the people, the ones who are trusted with the keys (logon accounts in this case) that we need to worry about.

Computer people don't "get" business (4, Interesting)

NineNine (235196) | more than 7 years ago | (#16772767)

Of course CEO's don't want to spend a lot of money and time on security. Unless the company makes security software or hardware, it IS an expense. Computer security should be handled with the same priority as physical security (keeping facilities secure) and basic infrastructure (power, water, telephone, etc.). Any CEO that spends an inordinate amount of time on computer security will, and should be fired. Just because you, as an IT person, spends all day reading about security threats, does not mean that upper management should do the same. A good top level manager understands priorities, and handles them accordingly. IT security should be handled as an absolute requirement to run the business (like power and water), but should be handled with the minimum possible expense, since it does not generate any income.

As a manager, you have to understand that EVERYBODY is screaming at you about their particular area. The marketing people need a bigger budget. The maintenance people are wanting to upgrade this and that. The transportation people need new trucks. That's their job. It's a top manager's job to look at each of these recommendations, and prioritize them in a way that will do the best for the company.

Seems to me like this blog entry is just another example of IT people being too myopic to get any real handle on how a business is run. In case anybody is scratching their heads as to why IT people rarely climb up the executive ranks to manage large companies, this example illustrates that reason very well. (Usually, in large companies, the people running the show are from marketing or finance. Occasionally operations. Never from IT.)

Re:Computer people don't "get" business (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16773413)

It's true that IT is seen as a money-sink with not much ROI as it is. That is, until you tie it to company image, trust, and customer relations. One mishandled backup tape or a discovered intrusion later -- and your company image will take a beating...and would take time to recover any trust and goodwill you may have established with customers beforehand.

Don't get me wrong, I do think there's such a thing as overkill when it comes to security, but there are enough management types out there who don't pay much attention to it at all until AFTER some embarrassing "accident" happens.

There are a lot of departments out there that are wanting company resources, that's understandable. In the end, though, you'd probably agree that to most (if not all) businesses, the ultimate thing that brings in money are the customers. I'm just asking the powers-that-be to ensure that the customers feel comfortable trusting us with their data.

Re:Computer people don't "get" business (2, Insightful)

supersnail (106701) | more than 7 years ago | (#16773639)

I second that.

Too many IT guys present proposals like
  "We need the ACME 3000 discombobulator to prevent DOR attacks,with a TOC of only $30,000".

Instead we sould be saying
"Mr Rumsfeld these Denail Of Reality attacks may cost you
8% points at the polls we could prevent them for only $300,000".

See how much better it sounds.
Buy the "The Bullshit proposal language" (The boy cow book) from O'Really tommorow.

Re:Computer people don't "get" business (2, Insightful)

grasshoppa (657393) | more than 7 years ago | (#16773757)

Computer security should be handled with the same priority as physical security (keeping facilities secure)

Unless you have valuable products you are storing, most places' physical security begins and ends with deterrent and auditing. It's cheaper to put a single lock on the door and an alarm system that logs off site than it is to put in reinforced glass with bars and magnetic locks.

This is not the point of view you want to take with data security, which is the "product" that you are trying to protect.

Re:Computer people don't "get" business (2, Informative)

Fulcrum of Evil (560260) | more than 7 years ago | (#16773847)

Unless the company makes security software or hardware, it IS an expense. Computer security should be handled with the same priority as physical security (keeping facilities secure) and basic infrastructure (power, water, telephone, etc.).

Yeah, it's absolutely vital, and the results of a breach can be devastating.

Any CEO that spends an inordinate amount of time on computer security will, and should be fired.

Maybe this should be handled by the CTO or someone he manages? CEOs do vision, not operations (except when that messes with the vision).

Re:Computer people don't "get" business (1)

ScuzzMonkey (208981) | more than 7 years ago | (#16775149)

Yeah, it's absolutely vital, and the results of a breach can be devastating.

The trick to knowing whether or not it's absolutely vital (which it isn't, not in every case) is to calculate just how devastating a breach could be. That's how you decide how much time/effort/pay-grade to put into it. And sure, that's the CTO's job to determine, but the CEO needs to make sure that it's done, and depending on what the answer to the "How devastating?" question turns out to be, it may be a matter for his or her personal attention.

Every other method of weighing the importance of security is a bunch of blather. You figure out the costs and that tells you what you can afford to spend in protection.

Re:Computer people don't "get" business (1)

Fulcrum of Evil (560260) | more than 7 years ago | (#16776435)

You figure out the costs and that tells you what you can afford to spend in protection.

Yeah, it's opportunity cost, but you have to weigh the chances of a breach against the impact - it's hard to handle 'death of corp' as a cost. Of course, I do agree - proper IT security isn't that expensive, but it is pervasive. You need the common stuff like firewalls and passwords, but you also need to make sure people aren't running Kazaa on their desktops or running trojan elf bowling games while still allowing people to get their jobs done. Part of that is not hiring morons, but that's surprisingly difficult.

Re:Computer people don't "get" business (0)

Anonymous Coward | more than 7 years ago | (#16773855)

The article specifically says that mid-level managers aren't informing top-level managers properly. You're comment says nothing about it and make you sound like you didn't read the article.

Re:Computer people don't "get" business (5, Funny)

Anon-Admin (443764) | more than 7 years ago | (#16773895)

since it does not generate any income.

I really am a little tired of hearing how IT does note generate any income!
Do the trucks you deliver your goods with "generate an income?"

The 8 Accounting servers go down for 24 hours, 15 Accountants can not do there job.

20 years ago the company had 50 Accountants doing the job that 15 now do with the aid of computers. I would see this as reducing company overhead and every time you reduce company overhead you increase profits thus providing an "Income."

The 4 Authentication servers go down for 24 hours and 5,250 people can not do there jobs.

5,250 people down for 24 hours (1 Day) is a lot of money (Millions) IT is generating an income by enabling everyone to do there job!

Although IT does not directly generate an income for a company it does not mean that it is a loss. It does not mean that the company could live with out the services that IT provides.

It is like saying the CEO, President, VP, etc do not generate an Income for the company and are just a big hole you through money into.

As to the topic of security, my favorite line has been "We will not be implementing security on the accounting servers. We do not want to make an A+ on SOX, we want to make a D and just get by. An A+ would be too expensive."

Re:Computer people don't "get" business (0)

Anonymous Coward | more than 7 years ago | (#16774409)

I agree with your comments. Let's see what happens when all of IT walks out of work one day and everything goes down. Keep biting the hand that feeds MBA and BA people, see what happens. Just like the guys who work at the power plants, or the mechanics, or the water treatment plants. They don't generate revenue but without them, you would be back in the stoneage. I understand about the dumb jargon about cost x and revenue y but get it through your thick heads, IT is now so critical to everyday life. As Colonel Jessup said modified to make it revelant:

"You weep for revenue and you curse the IT Department. You have that luxury. You have the luxury of not knowing what IT knows: that IT, while costly, probably saves the company. IT has neither the time nor the inclination to explain itself to a company who rises and sleeps under the blanket of the very reliable IT solutions that we provide and then questions the manner in which we provide it. IT would rather you just said "thank you" and went on your way. Otherwise I suggest you pick up a headset and start answering helpdesk calls. Either way, IT doesn't give a damn what the business thinks about generating revenue."

Re:Computer people don't "get" business (2, Interesting)

CRMeatball (964998) | more than 7 years ago | (#16774563)

I would have to agree that IT people are often too myopic for their own good. Perhaps this concept would make more sense if you realized that all the examples you cited reduced expenses and in no way created income. IT is a support system, period. Generating income means creating something new which can be sold, whether that is a tangible product or some service, which the CEO, VP and so forth are doing. They manage programs and make decisions which generate income. Yes they get paid a lot for it, but they just don't sit at their computers all day reading slashdot and complaining about how they get "ignored" by the people upstairs. Minimizing expenses is a wonderful thing, and needs to be explored, but sometimes this exploration reaches a point of diminishing returns. I currently run a project where, as the project manager, have to do all the IT work myself, and I am sure it costs us a lot of money. It would be great to get some IT people to work on the project, and it would save me money, but it will never generate income for the project. And if my infrastructure goes down, costing me millions, as mentioned in the parent, I am not going to think "If I had spent more money on IT, I would not be here right now." The thought going through my head is "Those IT guys are costing the company millions." Security is like insurance, you buy it based on how much risk you can and are willing to absorb. I don't buy my homeowners insurance based upon the most risk-free solution. It just costs to much, more than the value of what is being protected. The same is true for security. I could security which effectively guarantees my data is secure, but it would cost more than the value of the data it is protecting.

Re:Computer people don't "get" business (1)

Anon-Admin (443764) | more than 7 years ago | (#16776125)

Generating income means creating something new which can be sold, whether that is a tangible product or some service, which the CEO, VP and so forth are doing.

So IT does not produce a tangible service? Like Accounting, File sharing, E-mail, etc.

I have been both VP and President of a multi-million dollar corporation. I understand the needs of the company and the Cost of doing business. I also understand that delivery of a product or service to the customer takes more than just handing them a product. The cost of doing business if a key to key figure (Key to unlock the door in the morning and the same key to lock the door when you leave) and everything must be figured to determine the cost of the service of product.

Who is this person? (0)

Anonymous Coward | more than 7 years ago | (#16776173)

I hope you're not in control of any important systems where you work (if you have a job). With the spelling, grammar, and overall tone of your post, you just validated what was previously posted by a couple of /.ers thus far: IT people are too shortsighted to understand how a business is run.

Take, if you will, your very argument, and replace computers with power, HVAC, water, or trucks. Replace IT personell with maintenance, accountants, attorneys, factory workers, R&D, or what-have-you.

See the point? A business is a BUSINESS. Businesses never wholly depends on only one type of capital.

Re:Computer people don't "get" business (1)

l0b0 (803611) | more than 7 years ago | (#16774013)

I've always thought IT security would be a massive challenge for any medium/large company, due to the simple fact that crackers are not geographically limited, like thieves. That's one of the things any manager should know.

Re:Computer people don't "get" business (5, Insightful)

The Great Pretender (975978) | more than 7 years ago | (#16774057)

I very much agree with ninenine. I'm not IT I'm a major shareholder (which is why I can drink a cup of coffee and read /. mid-morning with no one firing me), on the board and a Principal (interestingly I'm a scientist by training, not marketing or finance). We hire IT people to take care of the IT component, which includes security. They submit a budget, we hack the budget, they complain, but often as not they figure out how to do it. Security came up once and we invited the IT department to tell us the state of affairs. Initially, one IT guy gave a presentation to the address security concerns and what the company needed to do, all that came across in the presentation was unjustified spending. Realizing that we didn't get a satisfactory answer, a couple of months later we asked again and explained why we didn't move forward on the 1st guys proposal. A different IT guy gave a presentation on the same subject and in 5 mins had the money he needed to deal with his concerns. The big difference was that the first guy came in, pulled out the IT ego, techno-baffled us and left us wondering why the hell we should spend the money on something that made no sense to us. The second guy came in and presented a holistic business concept of IT security, used nice simple IT terminology that made sense to us and didn't waste our time showing us how smart he was (we like to think that we hire smart people). We then moved on with running the top end of the business and let IT do their job.

Forget the $495, I'll tell you for free. You want a better chance at the funding, make the upward ladder understand the detrimental effect to the company and their profit if the the security is not in place. That means that you need to find the person in your group who can deliver the message in a nice brief way, using nice simple language that management understands, make sure you have urgency statements in the presentation, but don't be sensationalist, and the selling point is an assessment of the cost impact. The cost of developing security, verses loss of [fill in the blank]. And expect to get the funding in stages, in fact if you present a staged funding plan, it'll probably go down a lot better. Always remember, you don't hold the purse strings and those that do dislike being patronized or being made to look stupid (even though they may be).

Re:Computer people don't "get" business (1)

RingDev (879105) | more than 7 years ago | (#16774515)

Which brings up a wonderful point, or two even.

1) The world needs more well trained and skilled CIOs.
2) The corporate boards need to empower and listen to their CIOs.

There is no reason Peon McJimmy from IT should be presenting a budget and implementation plan to a board. That's what the CIO is for, they have the knowledge, training, and experience to make that translation work well. Sure, the CIO may bring Peon McJimmy along to field any technical questions (the inevitable 'can we do [X]?'). But having a network admin with a tech degree and no experience in budgets, project management, or the upper echelons of the corporate environment make the presentation is just begging for trouble. It presents the vary situation you described: a board making bad decisions. Those decisions are based on a poor presentation, but when the lawsuits come in, it's not that IT guy's name on the line.

-Rick

Re:Computer people don't "get" business (1)

k12linux (627320) | more than 7 years ago | (#16775385)

Good point. There is a reason I've never (knock) lost my job while peers (sometimes with more years of service) were getting downsized; The ability to interact with actual humans and not just hardware.

Management wants someone in IT who can take care of the technical stuff. Managers usually also want explainations of where the money went in terms that make sense to them. They aren't tech experts. Most of them have no desire to be and don't want you trying to make them into one. They hired the IT staff to deal with that.

They want to know how much project X is going to cost and how it will either make more money or will save more money then you want to spend. Face it, if you force a CEO to choose between spending $10k and MAYBE losing $2k of productivity with minimal impact to the reputation of the company... well you won't be getting the $10k you asked for.

If you tell a manager that paying $30,000 for anti-virus software will keep the PCs from getting viruses they'll be consentrating on the $30,000. If you tell them that a widespread virus infection could disable all or at least most of the PCs and the network for 1-2 days while being cleaned up and that it would cost $1,000,000 in productivity then that $30k seems like a good deal.

Re:Computer people don't "get" business (1)

moco (222985) | more than 7 years ago | (#16774139)

I think the problem here is the "language" barrier between IT people and management. As you state, the topmost-manager will be thinking revenue, profit, expenses while the IT manager will be thinking crackers, virii, spyware, worms, failing hardware, etc. I firmly believe that it is the IT manager's responsability to translate from "0-day exploit","broken TBU" and "expired anti virus licenses" to "loss of revenue", "smaller profit" and "increased expenses". I have tried doing this and guess what... it works.

Re:Computer people don't "get" business (1)

curlynoodle (1004465) | more than 7 years ago | (#16774153)

IMO, securing a company's data is somewhat different than securing the company's facilities. Insurance can pay for inventory and equipment lost due to fire, theft, acts of God. However, no amount of insurance can pay for lost or stolen information.

Re:Computer people don't "get" business (1)

RingDev (879105) | more than 7 years ago | (#16774293)

I believe both you, and the original author are on opposite ends of the same hyperbole.

While yes, upper management has to balance the needs of the company against the financial ability of the company. But at the same time you can't look solely at profit potential for investment. You must also look at risk vs reward and opportune costs.

risk vs reward, if your company is dependant on 5 delivery trucks for their revenue, and one of those trucks dies, you are out 20% of your revenue. If your company (like pretty much all mid and large sized companies are) is dependant on a computer network for their revenue, if the network fails, you are out 100% of your revenue. Regardless of whether the truck or network is the services or goods that produce a profit.

opportune costs, as some of the other people have mentioned, you don't NEED IT to do most of your business processes. But you have to look at it as an opportune cost. Is it cheaper in the long run to hire more employees, or to improve the efficiency of your IT systems? Sure, that new software package may cost 3/4 of a million dollars, but the alternative is expanding your human resources budget by $100,000/year for enough manpower to maintain growth. In under 4 years you would be saving hundreds of thousands of dollars by depending on the IT solution to scale with growth as opposed to increasing human resources.

The big threat though is not failure, but theft. If a competitor were to get a hold of my organization's customers and contract information, they could literally crush our company. 3rd party buyouts and undercutting prices on goods and services. We could easily lose $100 million dollars in annual revenue due to a breach like that.

Does that mean that we should go balls to the wall with security? No. But it does mean that the needs of IT must be weighed with a lot more in mind that the numerical value they bring to (or take from) the books.

-Rick

The BOFH Approach (5, Funny)

Anonymous Coward | more than 7 years ago | (#16772805)

1) Explain the effects of a DOS attack by shutting off power to the beancounters' servers.

2) Simulate the effects of spyware by displaying the contents of the PHB's um...photo collection along with his browsing history.

3) Demonstrate the impact of weak passwords by logging in as the PHB and sending off a few colorful resignation letters to the CEO on his behalf.

4) Emphasize the importance of reliable nightly backups by indiscriminately doing rm -rf everywhere. (you ARE root, aren't you?)

5) Using the custodian's account, log in and download the entire customer database into your ipod, load it onto an independent laptop, and use the data to e-mail oodles of spam.

Or you can just tell them the risk factors in which case they'll just stand in front of the swiss cheese and sing of how all the holes are theoretical.

Re:The BOFH Approach (0)

Anonymous Coward | more than 7 years ago | (#16774631)

Not necessary.

Just have a first rate company come in and do a pen-test from the inside of the network. Ask them to crack passwords, and determine what's vulnerable, drop a file on an open share, but do no harm, and don't actually break in.

Then hand the uppper-management a report that includes the middle-level manager's passwords, along with the domain admin password, along with a few (dozen/hundred/thousand) open shares.

Oh yea, don't forget to have them do a wireless test.. :)

Since it's in writing, from a third party it pretty much can't be "ignored", especially if it's a publicly traded company.

Ah, "Feel the Joy"(tm)....

Re:The BOFH Approach (1)

Archangel Michael (180766) | more than 7 years ago | (#16775603)

This is not "funny" but actually insightful. Often it takes a reality check before the $$ flows.

I know, Cause I'm the guy that usually forsees the problems months, and sometime years in advance, and utters the famous words "I told you so" (which doesn't go over very well most of the time). I always give the warnings out, and they are always ignored. When the chickens do come home to roost, I have the email trails to show that I saw it coming, and that the people who could have prevented it choose to ignore it, rather than deal with it.

Right now, our company is dealing with the third month in a row where viral outbreak occurred on several campuses. We are just now fully implementing Enterprise AntiVirus Solution, making full patches to the old machines, and getting them all joined to the domain properly. 5 years after I started working and started to make noise about it all.

Oh well. I get paid my salary one way or another, so I don't really care. I'm thankful for the overtime I'm getting these days.

Re: DOS Attack! (1)

TaoPhoenix (980487) | more than 7 years ago | (#16776605)

"We're sorry, but those lovely GUI's that Apple popularized have been shut down. Everyone turn to their C: prompt now."

apparently customers dont want it (2, Insightful)

Anonymous Coward | more than 7 years ago | (#16772817)

I think management think if you spend the money and take the time to release a secure product .. you get behind, have a more expensive product, and lose in the market. Since it's enormously (and often infeasible) to certify a product as 100% secure .. where do you stop spending the money on security? If they waited for IE or Firefox to be 100% secure before ever releasing it .. we'd use other browsers (which may actually end up being either less secure or not as good).

People have shown a willingness to put up with insecure half ass reliable products .. i wont mention any products or websites that have had issues. But the point is, for all it's ranting about wanting security and reliability, it appears to me the market just doesnt forgive those who would spend the time and money on these things.

And yes, this must change.

It's not a fucking trap! (0)

Anonymous Coward | more than 7 years ago | (#16772835)

Whoever keeps posting "Itsatrap" in the tags field needs to quit it. It's not even remotely funny and has no point. Grow up you childish gimp.

If upper management doesn't "get" IT security.. (2, Insightful)

rob1980 (941751) | more than 7 years ago | (#16772871)

Why would they spend $500 on a report to help them get it?

Not surprising... (2, Insightful)

tomstdenis (446163) | more than 7 years ago | (#16772917)

"Thankfully", the $495 report (if you aren't a "Conference Board associate") helps tell you how to handle the situation.

Bruce isn't in the business for giving out his top notch observations for free.

Are any of us?

I'd say it's a pretty lame attack to point out the cost as a negative. Just admit that you're not interested in his opinion and move on.

IT security sucks for this very single reason: It takes effort.

The solution? Demand effort.

Tom

Re:Not surprising... (1, Informative)

Anonymous Coward | more than 7 years ago | (#16773489)

"Thankfully", the $495 report (if you aren't a "Conference Board associate") helps tell you how to handle the situation.p Bruce isn't in the business for giving out his top notch observations for free. Erm, the report is not Bruce's; it's from a consulting co. hired by DHS: http://www.conference-board.org/publications/descr ibe.cfm?id=1231 [conference-board.org] Navigating Risk -- The Business Case for Security Author: Thomas E. Cavanagh Publication Date: October 2006 Report Number: R-1395-06-RR This report details the results of a survey by The Conference Board (sponsored by the U.S. Dept. of Homeland Security) of 213 senior corporate executives working for a broad range of companies. Results show the importance of managing and mitigating risk in making the business case for security. Companies that have the most to lose, tend to be the companies that are most willing to invest in security. These companies include those in critical infrastructure industries, large corporations, multinationals with global operations, and publicly traded companies. Topics Covered: * Alignment with Business Objectives * Risk-Related Metrics * Different Metrics for Different Industries * Involvement in Security Activities * Access to Senior Management * Influence vs. Support in Security Decision-Making * Security, Risk and Competitive Advantage * Certification Standards and the Loss of Business * Putting a Limit on Security Spending

Re:Not surprising... (1)

00Dan (903094) | more than 7 years ago | (#16773921)

Which is why, whenever I get a call regarding some survey, the first words out of my mouth are "What's in it for me?" I don't get paid to help some marketing firm or research company do surveys, so if they want my help I expect something in return. At a minimum, I expect a copy of the report.

Re:Not surprising... (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16773955)

I really don't like your general attitude, Tom.

Kindly slice your wrists and lie in a hot bath.

Re:Not surprising... (1)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#16775331)

>I'd say it's a pretty lame attack to point out the cost as a negative. Just admit that you're not interested in his opinion and move on.

I can see two reasons why that would be a valid point. One is that since the DHS commissioned the report, we've already paid for it. The other is that as near as we can tell from the excerpts this report isn't a collection of top-notch observations.

I only charge for customized advice that translates into specific actions for a client. Generic statements might as well be free.

would have thought they where idiots (0)

Anonymous Coward | more than 7 years ago | (#16772927)

and it proves it, $495 to tell people that they dont know something....

hell id do it for $349.99

Too rich for my blood. (3, Insightful)

Rob T Firefly (844560) | more than 7 years ago | (#16772943)

The results aren't terribly surprising to those in the trenches, stating that most executives view security as something akin to facilities management.
Sort of what I expected, but it still might make an interesting read. Perhaps I'll get a copy.
"Thankfully", the $495 report
Ouch! Screw that noise. Although, I may have stumbled upon why the IT crowd doesn't "get" upper-management decisions like spending half a grand on the same info you could get by talking to someone in the field over the morning coffee and bagel.

Re:Too rich for my blood. (1, Interesting)

Anonymous Coward | more than 7 years ago | (#16773185)

How about the decision to buy the CTO a $34,000 Desk and office furniture? yet nix buying that new server that holds the critical finance data because "we cant afford it this year"?

I dont get "them" because "They" are simply bullshitting everyone already.

Sorry but no executive is worth what he/she get's paid... not for what I see they do for the company.

The general problem with IT. (4, Insightful)

Kenja (541830) | more than 7 years ago | (#16773049)

The general problem with IT work is that if you do your job realy well, nothing happens. So you then have to deal with questions like "why did we spend all that money on y2k when nothing happened".

Its almost worth messing up from time to time just to show what would happen every day if you weren't there.

Re:The general problem with IT. (1, Insightful)

NineNine (235196) | more than 7 years ago | (#16773567)

Its almost worth messing up from time to time just to show what would happen every day if you weren't there.

Yeah. And how about the janitors? Maintenance people? Trucking people? Accounting people? Shipping people? People in manufacturing? IT is just one part of a massive support staff that it takes to run any business.

I'm sorry to break the news that IT isn't necessarily any more important than the people that make sure that the toilets flush and the power bills are paid. Actually, as a business owner, if I had a fixed amount of money and had to decide to spend it on either A. A plumber, B. More help on the loading dock, or C. IT, I gotta say that C would be last on my list. Sorry guys. I can run my business with somewhat broken computers. I can't run it with no toilets and nobody to receive the inventory.

Re:The general problem with IT. (1)

Kenja (541830) | more than 7 years ago | (#16773813)

"Yeah. And how about the janitors? Maintenance people? Trucking people? Accounting people? Shipping people? People in manufacturing? IT is just one part of a massive support staff that it takes to run any business."

All of those produce tangible results. The goal of a lot of IT work, security especially, is to produce nothing.

Re:The general problem with IT. (0)

Anonymous Coward | more than 7 years ago | (#16774439)

>Sorry guys. I can run my business with somewhat broken computers.

Sounds fine. So you order up the plumber or hire the loading dock guys. Two weeks later you have to cut a cheque for them. But there's a problem. The accounting person's computer is not working. So you write it by hand, or maybe you just make up a word doc to simulate the cheque, you know, to make it look a bit more professional. This happens for two or three months and heck, everything seems ok.

Then you get a note from the bank telling you they will no longer process the cheques. You call and ask why?

Turns out that the accounting person never got the memos you emailed her to account for the extra $5,000 in expenses you ran up each month and now the bank account is dry.

Solution?

Insolvency. (Wait a minute, it's insolvency when something won't go into solution? Hmmm...)

Don't think it could happen to you? Heh. Try it and see...

Re:The general problem with IT. (1)

Iron Condor (964856) | more than 7 years ago | (#16776045)

Actually, as a business owner, if I had a fixed amount of money and had to decide to spend it on either A. A plumber, B. More help on the loading dock, or C. IT, I gotta say that C would be last on my list. Sorry guys. I can run my business with somewhat broken computers. I can't run it with no toilets and nobody to receive the inventory.

Not so long ago, this post would have been impossible at /. Either the geeks are starting to grow up, or the demographic of /. posters has changed.

I'm actually surprised how many posts there are by people who actually get the business side of thing. Who actually understand that IT is a service as much as any other service. No worse, but certainly no better.

And, I might add, already vastly more expensive than all plumbers in the facility combined.

And, I might add, all managers run computers at home, so they can't be bullshitted by the technobabble that pretends great difficulty in "just keeping it all running". They've all bought a new computer once and struggled to set it up. Many, many fewer of them have set up the new water-heater they bought...

Re:The general problem with IT. (1)

hachete (473378) | more than 7 years ago | (#16776297)

YMMV, though. I help run the distribution build process (from source code to CD) for a software company and I get this all the time. We're lumped together with the cleaners, the plumbers etc. Yet, if my build servers break, nothing is tested, no product is shipped etc. Period. We're the factory-line for software: we can last for a while if the toilets break or the cleaners go on strike, but we stop if we can't ship product. Most assembly lines these days depend on computers. So, yeah, IT is more than often a step above the cleaners.

You inse8sitive 3lod... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16773089)

Users With Large previously thought numbuers. The loss Nigger Ass[ociation Said. 'Screaming

I can tell you for free (2, Insightful)

Eli Gottlieb (917758) | more than 7 years ago | (#16773193)

Upper management doesn't get IT because upper management doesn't get much of anything. They only see numbers, numbers they must play with until they add up to a plus mark.

Re:I can tell you for free (1)

element-o.p. (939033) | more than 7 years ago | (#16773661)

Yeah, but if the PHB can't make the numbers add up to a plus mark, then I don't get my paycheck every other Friday, so I think I'll cut him a little slack.

Re:I can tell you for free (0)

Anonymous Coward | more than 7 years ago | (#16773709)

They only see numbers, numbers they must play with until they add up to a plus mark.

That's hard to do when the guys in IT only spend money and don't make any.

Re:I can tell you for free (0)

Anonymous Coward | more than 7 years ago | (#16775155)

Those numbers are what make your IT budget possible.

The approach I keep hearing about (4, Insightful)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#16773435)

Don't try to talk ROI. You'll be talking to finance people who will see instantly that there's not enough data about quantitative risks to back up what you're saying.

Instead, calculate the cost of a breach. Then walk up the chain of command with the message "Like any risk, we can avoid it, mitigate it, transfer it to an insurance company, or accept it. If you do nothing you're accepting it. If you accept it then on the day a breach happens you will spend eleventy thousand dollars of company money. Do you have signing authority for eleventy thousand? If yes, here's the cost of a couple of mitigation options, and you're the boss. If no, you understand that I'm only going over your head because the decision has to be made at that level."

The real question (1)

Original Replica (908688) | more than 7 years ago | (#16773449)

Can I download it on bittorrent yet?

Problem? (1)

RAMMS+EIN (578166) | more than 7 years ago | (#16773467)

I don't see the problem here. Upper management is ultimately responsible for how the company fares, right? So if they decide that security is worth so-and-so much and they're going to mandate this-and-that policy, that's fine. If they make good choices, the company will do better than if they make bad choices. Since upper management is (at least, should be) accountable for how well the company fares, this will take care of security just like it takes care of everything else.

Re:Problem? (1)

tiberus (258517) | more than 7 years ago | (#16774269)

It goes something like this...

We (the IT professionals) are responsible for IT security, which means we have to make them get it. If we propose a security solution and it is rejected we still tend to get the short end, i.e. fired.

I have talked till I am blue in the face about threats and what can be done about them and in many cases finally gave up. Something like "I gave them all the information, I explained it to them not once not twice and they still said no. So Management has accepted the risk."

Ala-peanut butter and jelly sandwiches, the breach I proposed a plan to protect against of mitigate occurs... Inka-dinka doo I'm out of a job.

Re:Problem? (1)

RAMMS+EIN (578166) | more than 7 years ago | (#16776761)

``Ala-peanut butter and jelly sandwiches, the breach I proposed a plan to protect against of mitigate occurs... Inka-dinka doo I'm out of a job.''

Well, I would say it's their loss, not yours. They lose someone who gives them good advice, you get rid of a stupid Management.

angle (0)

Anonymous Coward | more than 7 years ago | (#16777221)

Are you a shareholder? Do you know other shareholders who might "get it" on security? You have some rights there, even if as an employee you might have less.

disclaimer, always check with your barber and bartender for proper legal advice

disclaimer 2, I'd say check with your union, but like bosses with security, the vast bulk of slashdot IT guys working fulltime for some big transnational corp don't "get it" with unions or how they *could* work-notice I said "could"- if well run and vigorously maintained to keep teh mob out.

What about non-profits? (1)

yancey (136972) | more than 7 years ago | (#16773543)

The article says "the cost of business interruption was the most helpful metric." That's great with a for-profit business that loses money when their computing systems are down and customers will go to another vendor. What about non-profits, government, education, etc? These types of operations don't have a strong monetary incentive to keep systems secure. If the tax collector's office computers are down because of the latest virus, it doesn't cost the government anything except time. They are still going to get your money.

Re:What about non-profits? (1)

dave562 (969951) | more than 7 years ago | (#16777547)

Sure they do. Most non-profits have a development department. Those development department employees usually have what is akin to customer (donor) information. They need that information to be secure.

Of course they don't get it (1)

thewils (463314) | more than 7 years ago | (#16773605)

Haven't you heard of this [wussu.com] ?

Why should they get it? (1)

mawhin (635345) | more than 7 years ago | (#16773835)

Surely that's what they pay us for?
I sysadmin in education, and it's clearly a complicated business, far too complicated for any one person to sweat all the details. So some of us sweat finance. And some of us sweat the procurement of funding for 16-19 year olds. Some of us know what 'pedagogical' means ( not me ).
Our senior management are pretty good at what they do, which is to trust their specialist to do our jobs, and challenge us to justify our calls for resources and excuses for problems.
The problem, I think, are twofold:
Us arrogant self-centred IT folk, who expect everyone else to care about how it all works, or just to accept without question what we assert. It's my job to explain to others, ** in terms they can comprehend **, what they need to know about my field.
Those arrogant, incompetent senior managers who won't trust their specialists to do what they're good at. It's their job, once we've explained in their terms, what the deal is, to make the call based on that, and trust us to sweat the details.
I agree with the other posters who advise couching security needs in financial/risk terms.

And... ? (1)

Iron Condor (964856) | more than 7 years ago | (#16774017)

Since I can't read the report without forking over money: The writeup suggests that there's something wrong with the notion that IT security is akin to facilities management. It doesn't say HOW it is different, though.

As far as I can tell, IT security and building security are pretty much the same idea. You my squeak by without any; you probably want to pay a couple guys to provide some basic security service; there's a diminishing return at the upper end, where hiring more security guards doesn't really make your facilities any safer; no amount of security folks will ever give you absolute security, but it is sufficient to be more secure than the neighboring company so as to not be "low hanging fruit". Many of the folks in the field are dedicated professionals, many others are posers who have no clue what they're doing. They constantly send you requests for more money/people/power and tell you that you're doomed if you don't beef them up. You keep'em funded at some reasonable level and you resign yourself to the occasional breach. Because there's nothing you can do about it.

Seriously: where is the difference?

In a way, it is like facilities management (1)

davidwr (791652) | more than 7 years ago | (#16774063)

Good facilities management includes good external security and good internal physical security, like door locks, security cameras, telecommunications management, etc. It many also include locks on individual desks.

If the analogy holds, then IT security includes all "locks" and "cameras" throughout your IT infrastructure.

I HOPE that the CIO takes IT security as seriously as a building superintendent and physical-plant-security team take physical security.

Finally (1)

LindseyJ (983603) | more than 7 years ago | (#16774127)

Finally the Deptartment of Homeland Security is looking into some really dangerous people: upper management!

Our tax dollars hard at work!

hero syndrome (1)

herojuana_x (997891) | more than 7 years ago | (#16774259)

Proactiveness is generally not rewarded or understood by upper management. How can you look like a hero if you haven't fixed anything lately. Putting money forth to mitigate potential risks has no immediate payoff; monetarily or for image. Buy the product or resources after something bad happens, then you can fix it, then you're a hero.

Be glad they don't get it (5, Insightful)

1369IC (935113) | more than 7 years ago | (#16774365)

IT stuff is voodoo to most upper management, and I'm convinced IT shops get away with things they never would if the upper management understood IT as well as they understand, say, supply. I was upper management in two government organizations heavily dependent on IT. As a fairly competent computer user who likes to keep up with current events, I fought with our IT folks endlessly -- at least the management.

The first problem is IT quickly forgets that -- like everybody else except the people actually doing the core functions of the organization -- they are a support organization, not a control organization. They latch on to their ability to throw out security and voodoo computer terms to persuade the upper management to let them set policies. Upper management doesn't understand the policies at all, and often has no choice but to side with the IT pros no matter what the actual users want or need. As often as not, they then set policies that are purely for their convenience (for instance, wanting to standardize on Windows and a strict set of programs even though they support 25 or 30 different sections, some of which have been doing things like digital photography, desktop publishing and design on Macs for years). From the users' perspectives, IT makes using the actual IT resources as painful as possible to make their lives as simple as possible, and the fact that they're hampering actual mission accomplishment doesn't bother them.

Next, they have a sweet deal going where they set a bunch of standards that require certain certifications or skills, so they hire people who perpetuate those standards, and only buy things that are compatible with those standards. This then requires getting on an endless treadmill of more training, more personnel, more software, more hardware, etc. And all the while they make it clear that it's lunacy to buy anything that doesn't have vendor support because if it actually breaks they can't be expected to get it going again using only the training, hardware, software and people that they have brow beat management into paying for using money that *every other part of the organization* was crying for and could have put to good use, too.

Lastly, on a day-to-day basis, far too many of them think that, because they're IT, it's their right to be arrogant, socially or organizationally inept, or just plain weird -- and sometimes it's a combination, so you get a organizationally inept weird guy being arrogant. How many of those does it take to ruin a shop's reputation? (IT certainly has no corner on that market, I'll grant you).

I could go on here, but I'm sure I've pissed off enough people already. I came from the internal communications side of things -- journalism and later PR. In my field management always thinks they can do your job better than you can because, hey, it's just writing and talking. Eventually, I got promoted into management and in dealing with IT I saw that their best defense is that almost nobody in a position of leadership (being mostly older guys, half of whom had never launched a program that wasn't sold by Microsoft) understood what they hell IT did or what it took to get it done. So all it took was a good talker or somebody who learned to cite vague security mandates from higher headquarters to get much more of what they wanted than anybody else did.

Of course, it also left IT open to being weaker when their leadership was weaker (or less smooth). But I didn't run into that. I ran into IT shops that got more of their resource requests approved than anybody else, but didn't really realize it and kept whining for more even though their support curiously never got better no matter how much you spent on them. And for every new capability you read about on Slashdot, they came up with two new security policies that made using it impossible.

Now I'm back in the trenches and don't get to go to the meetings where the IT guys try to talk the boss into banning the USB drives everybody has taken to using because the e-mail size limits and piss-poor network can't support the huge files people create to do their jobs, and they support their argument with a bunch of BS about how USB drives are a much worse malware vector than floppies or CDs -- to say nothing of the famously porous e-mail and browsing software they *require* everybody to use.

Luckily, I learned to cheese the low-level IT guys so I can still run a few off-the-list programs and secretly have admin privileges to my machine despite IT policy.

But in the end, it's an old story: be careful of what you wish for. You may get it.

Re:Be glad they don't get it (1)

orderb13 (792382) | more than 7 years ago | (#16775519)

Unfortunately there are all to many IT depts out there like that. Ideally IT should be there to help the buisness flow more efficiently, but more often you get some stuck up network, or system, admin who thinks he has to play god and makes everyone else's job harder. This is more often than not a sign of incompetence.

Just remember that not all IT departments are like that, because mine isn't. We actually make a concerted effort to give the users what they want.

Re:Be glad they don't get it (1)

pete6677 (681676) | more than 7 years ago | (#16776521)

These are the type of IT departments that deserve to be outsourced to Bangalore. And they're always so surprised when it happens.

Yet Another Way Not to Get It... (1)

tiberus (258517) | more than 7 years ago | (#16774483)

I was asked by my boss (IT Manager) to put together a list of all the security projects I had talked to him about over the last year or so, for a meeting the next day. Should have put time into determining costs, resources, etc. but, hadn't done it before and didn't have time now.

We were to present these ideas, little over a dozen of them, to our VP on the business side of the company. Projects ranged from migrating systems to the DMZ to implementing Single Sign On.

All the projects were approved by the VP and could he please have them all by June, it was February...

What People Are Willing To Pay (1)

Temujin_12 (832986) | more than 7 years ago | (#16774685)

Although, I may have stumbled upon why the IT crowd doesn't "get" upper-management decisions like spending half a grand on the same info you could get by talking to someone in the field over the morning coffee and bagel.
Think of the half grand as the market price people are willing to pay to avoid having a conversation with IT.

If this were fark... (0)

Anonymous Coward | more than 7 years ago | (#16774775)

...this would have been posted with an 'OBVIOUS' tag and everyone would be posting Owls.

So what? (0)

Anonymous Coward | more than 7 years ago | (#16775939)

Why do you care. Protect your ass and move on.

Simple answer: Manager think like managers (1)

Opportunist (166417) | more than 7 years ago | (#16777351)

You have to understand that managers, especially middle managers, are by their very nature bureaucrats. In their world, a problem is analyzed, a solution is found, this solution is transformed into a policy, this policy is published and stands for the next millenium. And this policy is applied to every problem thereafter. What is completely alien to them is quick adaption to quickly changing needs.

And that's exactly what security is.

Security is also an expense that is much like an insurance. It's something you spend money on, and you hope that you spend it in vain because you never need it. It's not really a "selling point" for security, to spend money on something you don't want to have.

Unlike insured risks, computer security is not really tangible. A fire insurance sits well in the heads of a manager. Fire is a hazard. Fire strikes and you can't be productive for days/weeks/months. A trojan just siphons some of your bandwidth. Hardly any ever really "steal" company secrets. Why bother? Because you're a spamchucker? Who cares, after all you're not responsible (in many countries at least, not in all thankfully) what your computer does.

It's an expense that's hard to justify towards managers. So far, few companies outside of the IT field really suffer bad PR from being a trojan haven or a spam center. It can actually be cheaper to ignore security. First of all, the infected computer is going to be cleaned by your admin who's probably half idle anyway. Second, it's cheaper to buy a spare computer than to employ a complex security routine. And finally, it's a useful tool if you want to cut someone's salary, i.e. blame the lack of security on your employee.

Re:one change... (1)

Chandon Seldon (43083) | more than 7 years ago | (#16777601)

Even external attacks are the fault of internal departments. You can think of the internet as having an automatic mechanism whereby insecure servers get pwned by script kiddies - the script kiddie isn't the problem, it's whoever didn't secure the server.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>