Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Businesses Security The Internet Technology

On Cybersecurity, Execs Are Burying Their Heads In the Sand (bizjournals.com) 45

An anonymous reader writes shares a report on BizJournals: Despite increased spending on cybersecurity, most executives are unprepared, even willfully ignorant, of the threats that could damage their businesses. A survey of 1,530 C-level executives across of range of industries found a widespread feeling that cybersecurity is an "IT problem," even as CEOs personally shoulder the consequences for breaches. "The Target breach was one of the more significant ones: Executives can be held accountable," says David Damato, chief security officer at Tanium. "But there's still that disconnect. Executives still struggle with: 'What should I be looking for?'"
This discussion has been archived. No new comments can be posted.

On Cybersecurity, Execs Are Burying Their Heads In the Sand

Comments Filter:
  • by gcnaddict ( 841664 ) on Saturday April 02, 2016 @10:07AM (#51827781)
    Put the fucking CISO on the executive board.
    • by Z00L00K ( 682162 ) on Saturday April 02, 2016 @10:26AM (#51827865) Homepage Journal

      Wouldn't help until there's a breach of security anyway.

      Way too many don't see the need for improvements in security until it's too late.

      • The CISO's job is to aid in boosting security posture and mitigate risk. I'd venture that most won't just sit down and plug their ears since it's their job to do exactly the opposite.
    • by Opportunist ( 166417 ) on Saturday April 02, 2016 @01:22PM (#51828723)

      As long as he still doesn't get any power, he's still just the scapegoat. It's like sitting on an ejector seat, and some asshole on another continent you don't even know has the button to shoot you out.

      You don't have to put the CISO on the board. He only needs two powers: First, the power to put his foot down and stop a project if it becomes dangerous. And second to fully put the weight of the responsibility onto the shoulders of whoever overrules him.

  • by Stolpskott ( 2422670 ) on Saturday April 02, 2016 @10:10AM (#51827791)

    Yes, the technical analysis and implementation of security fixes/updates for hardware and software within a company is a set of IT tasks, but the task of budgeting for that is/should be a finance task, with oversight from C-level legal representation.
    If the CEO doesn't know how to handle it, that is fine - as long as he/she understands that they are the ones who will ultimately be left holding the can for a data breach, they will have the incentive to get somebody in place who does know how to handle it - the role of the CEO is to be the figurehead and "big picture" source, not subject-matter expert in all areas.
    So the CEO needs to think "this is an IT problem, but I will be carrying the can for a problem, so I need to talk to the head of IT and see what they need to help me save my job", and work from there.

  • From the standpoint of the CEO, cybersecurity is costly, unlikely to improve earnings or boost the stock price and possibly disruptive to existing business operations. It's much cheaper and easier to purchase insurance against the costs of an attack or breach, should one occur, than it is to be proactive and throw lots of money into techs, consultants and the ongoing costs to deploy, train people and maintain it all. American CEOs are mostly concerned with the stock price in the short term because that is w

    • It's much cheaper and easier to purchase insurance against the costs of an attack or breach

      ...right, which'll result in an Insurance Institute for Cyber Security (ugh) which'll mandate certain precautions in order to reduce losses. Insurance will be the driving factor in determining which controls work, and any CISO would be an idiot to buy insurance and not implement the controls the insurers want.

    • Nice, the CEO will then purchase insurance against a data breach, I don't see any problem with this. However, the insurer will accept to cover the risk only if certain conditions are met. This is then back to the CEO to make sure the conditions required to ensure the insurance will effectively cover the risk and a data breach will not turn into a legal case where the insurer will deny any payment to the company because the CEO didn't take his responsability to make sure the security is managed appropriately
  • The "IT problem" (Score:5, Insightful)

    by nine-times ( 778537 ) <nine.times@gmail.com> on Saturday April 02, 2016 @10:19AM (#51827833) Homepage

    The summary says that many view security as an "IT problem", but it probably fits into the category of IT problems where the real problem is the company's management.

    As someone who has worked in IT for decades, I don't think that I've ever seen a security initiative where the biggest challenge wasn't persuading management. The first task is persuading management that security is important enough to even consider. The second is persuading them that it's worth spending any amount of money on, rather than asking IT to do what they can without additional resources of any kind. The next challenge is getting management to listen to security experts rather than going off the CEO's half-baked misunderstandings of how security works. The fourth is convincing them to enforce security policies even in cases when the employees don't like them. Finally, you need to get management to follow the security policies themselves, rather than requiring IT to carve massive holes in the security policy for the CEO's convenience.

    In my experience, it's pretty rare that IT departments can make it past the second hurdle-- being able to allocate money/resources to security. Even when they do, the security that gets implemented is often porous and full of security theater.

    • I'm always blown away by how much work it is to do this with IT. Do they tell accountants to not use basic accounting principles and resources?

      (Well. Maybe sometimes they do.)

    • As someone who has worked in IT for decades, I don't think that I've ever seen a security initiative where the biggest challenge wasn't persuading management.

      I work for a government IT security initiative hat has national and regional support to get the job done. Local support is almost nonexistent since fixing security issues means a local tech will have to track down a computer, persuade the user to surrender it, and then re-image the system to bring it back into compliance. They don't want to touch a system unless a user reports a problem. Security is proactive and not reactive. Since I'm the regional rep assigned to the facility, the local management wants m

  • The question that I always have when reading essays of this type is, what is the appropriate course of action? Setting up business information systems to be thoroughly and deeply secure would take 100% of the financial resources of a good-sized organization and would render the business tools virtually unusable by ordinary human beings. OTOH it is becoming increasingly clear that all of our interconnected systems are penetrated to some degree, including those of the organizations banks, trading partners,

    • The key word is risk management. You needn't be 100% secure. The cutoff is no later than where the cost of security trumps the possible damage of a breach (obviously), but it is usually far, far lower.

      What you have to aim for is sensible security. And we're far from even picking the low hanging fruits, there is a lot of quick wins in ITsec most companies simply still didn't go for.

  • by clintp ( 5169 ) on Saturday April 02, 2016 @10:35AM (#51827901)

    Once the executive team figures out that IT security is really important they tend to fuck it all up with an endless parade of audits and consultants

    Like any parade, it's all for show. These people swoop in, make IT teams fill out questionnaires, conduct interviews, write reports, make recommendations, but nothing real actually gets done. What IT needs are people willing to get their hands dirty and actually help out with these projects. IT winds up having more thrown on their plate without increases in staffing or budget.

    Ditch your PricewaterhouseCoopers schmuks and hire someone to actually do the work.

  • "What should I be looking for?"

    How about a competent IT staff that are happy with what they do and don't feel like they're working for bottom dollar.
  • I have had five new credit cards issued in the last year. My bank never tells me who screwed up. If I knew what companies compromised my information, I would not deal with them. Let the market put pressure on CEOs to fix their security.
    • by Intron ( 870560 )

      Penalizing the victims leads to a bad outcome. It will discourage companies from being open about security problems that they've experienced so that they can be fixed everywhere.

  • Sounds cliche but... (Score:1, Interesting)

    by Anonymous Coward

    Windows is the problem. Always has been, always will be. They've done nothing to address their broken auth system. Every APT and pentest since the widespread adoption of NT 4.0 has been: Own any one workstation or server on a network, dump the cached credentials or crack the local admin account, dump the domain controller, crack everyone's password, lulz, repeat lulz until satistified.

    Now, why do businesses run Windows? Office. Seriously the only reason. All other software could just as easily have b

  • Do you think that the companies who are outsourcing their IT jobs and network management to companies in India care about security? Anybody have numbers on what percent of breaches are either inside jobs or recently laid-off workers?

  • If not on the board, answering to the CFO is a good alternative. The CFO ultimately cares about all things that cost money, and should consider things besides uptime. That was a conflict I'd seen before, where security reports to an operations director, who tends to care about little besides 100% uptime.

  • by DogDude ( 805747 ) on Saturday April 02, 2016 @01:41PM (#51828807)
    Of course it's an IT problem. IT people always seem to think that every IT problem is a #1 priority issue in every organization. The thing is, IT isn't #1 unless it's an IT company. IT keeping things secure is just as important as keeping the physical doors locked. It's important, but it's not the CEO's job, any more than it's the CEO's job to make sure that the locks are working properly on the company's doors.

    IT people need to take their heads OUT of the sand, and realize that what they do, while important, isn't any more important than any other pieces of large organizations.
    • No, fuck you in the face. 90% of companies today ARE IT companies, whether they want to admit it or not.
      • by DogDude ( 805747 )
        No, fuck you in the face. 90% of companies today ARE IT companies, whether they want to admit it or not.

        That makes no sense, whatsoever.
  • Comment removed based on user account deletion
  • by Ryanrule ( 1657199 ) on Saturday April 02, 2016 @07:55PM (#51830315)
    Make them fully and personably liable. 20 million customer records lost? At lets say 1 million per person? Drain the execs bank accounts, liquidate their assets, seize their trust funds, put their children on the street. Problem FUCKING solved.
  • Wait... I forgot...... Does Obama dump the screaming new born kids in the fire @ Bohemian Grove during the Cremation of Care Ritual , OR Just the High Priest? Drone The Grove 2016! Yes Grandma, for the last time there will be countless wave after wave of Drones flying above the Bohemian Grove streaming the Cremation of Care Ritual to YouTube and CNN, get over it and take your pills silly...

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...