Execs keep flinging money at us instead of understanding security, moan infosec pros Fresh from years of complaining about underfunding and not having enough staff to deal with problems, infosec bods are now complaining that corporate execs merely firehose cash at them without getting their own hands dirty or engaging with the problem. That's one conclusion that could be drawn from a Trend Micro study …
Being handed £10 million and told "fix this problem, or your department's fired and we'll replace you with Accenture or Autonomy or you know one of those names," but also not being allowed to slap executive crybabies when they want to respond to their favorite 419er and read employees' mail. There's no amount of money the problem can shovel at the problem to fix it.
Collective bargaining. When you're stuck between putting yourself at risk for doing the job or blackmailing the execs... collective bargaining.
Of course being threatened to do you job with a lump of cash isn't the worst threat. Just makes sure when your project is finally successful that you put the names that matter under a bright company wide statement, and the names that don't help in the exact same bright light.
"Thanks to Sarah's genius at cracking the problem while Steve applied the appropriate logic in a timely manner, with the help of clean working conditions maintained by the janitorial staff, nobody was hindered by Frank's faulty but extremely considerate corporate directive and thus we met our goal of XYZ."
"...adding that 38 per cent of respondents wanted the CEO's neck to be on the block for security failures."
That is a nice sentiment, but management never takes responsibility for anything except a rising stock price or market share. They are a revolting creature, designed to collect glory and pay while downloading any and all responsibilities and efforts to the peons (as they think of the staff.) Note that they are talking "large" operations, not mom & pop shops where there are still human beings with ethics running the businesses, not hired zuits.
As much as I like blaming management for things they certainly would do wrong if they had the chance, this is something that requires more analysis. When is the CEO responsible directly for something going wrong? I think we all agree that, if it's something known by them or the managers that frequently meet, it's something the CEO should be working on. Similarly, if one guy leaves something unsafe in a lab and starts a fire, we don't consider them responsible. Every issue falls along this scale.
Where does security fall into this? Usually, I think it depends on the level of obstruction management has placed on the people concerned. For example, if the CEO refuses to budget for backups and the company has an event that backups would fix, that can be management's fault. If they do budget for backups but the tech department fails to set them up, they're not. In that situation, and assuming the article's conclusions are accurate, I have less sympathy for the techs in this survey. If you have lots of money, unless there's some restriction on how you can use it, it sounds like management is agreeing that the problem is important and providing resources to get it solved. If they're still responsible for a problem, there should be a clear answer to the question "what should management have done that they did not do", and it's less clear what that is.
@doublelayer in every role I've been in senior management has prioritised getting new features out the door over security. The only time security is taken seriously is when things like the latest log4j, or heartbleed or similar makes the headlines. At all other times the response is "We'll take the risk"
The problem is that "We'll take the risk" has an unsaid "because there are no serious consequences of not taking that risk". Look at the Tesla stop sign feature as an example.
Tesla didn't even have to produce logs of every times a car (under software control) failed to stop at a stop sign. Why didn't they have to pay the maximum fine for every time the car failed to stop. Someone at Tesla consciously made a decision to ignore that traffic law. Perhaps as a minimum they had to pay the fine then they would think about it. Perhaps if the they were forced to immediately disable self drive and all the other driver assist features until this was corrected and or all the people involved all the way up to Musk were banned from driving from now until 6 months after the fix is implemented it would hit home.
I agree about the typical pattern, and in that pattern, I do not object to the CEO being held accountable. In most cases, I encourage it. Where I'm less comfortable doing it is the situation described in the article. In your situation, they likely didn't give you an unrestricted massive budget for the expressed purpose of improving security. If they did, they've already taken the step most other companies have neglected. It still depends on the specific situation, but unless the security team has identified something necessary that management refused, they seem less responsible.
Isn't it curious that this report makes ABSOLUTELY NO MENTION of the impact of security breaches on the customers of these "corporations"?
Take the Equifax hack.....which allegedly affected 143 million people......
....and all we get here is the useless opinions of of '...5,000 "IT and business decision makers" '......
....and that's JUST ONE HACK!!!!
Millions of people are put at risk.......and 5000 "executives" complain about "too much money coming their way".....
Am I missing something here?
Trying to engage the business in Cyber Security is pushing a very big thing up a vertical cliff where the management up top are throwing things at you to knock you down. In our case it starts with having an ‘IT’ manager who is not technically competent enough to be able to understand the risks. Then, as the IT manager reports to the finance Director any issues that do get raised are never given the same level of review as say health and safety which does get board level representation. I’ve been looking at my next steps recently and have been amazed at how little value companies put on decent IT management and security, especially those that would literally lose millions a day when things go wrong!
Sadly this.
Our IT department was delightfully reshuffled in a recent restructure.
We were moved directorate from Finance (how old school!) to the Fundraising and Comms directorate.
Er... What?!
So my director is now someone with lots of advertising and social media experience but knows sweet fa about anything in the IT world. And this person has to represent our requirements at the board level *sigh
"I’ve been looking at my next steps recently and have been amazed at how little value companies put on decent IT management and security, especially those that would literally lose millions a day when things go wrong!"
End of last year, I've had the privilege to contemplate a big company, who'd been running their whole core systems on unpatched win2008 servers.
See, extended 2008 support is expensive, so scrap that of course, what could go wrong ? And moving to 2019 is costly and risky ...
A a matter of facts, things *went* wrong, as some cybercriminals spotted the low hanging fruit, and BAM, they got hit. One month of whole company systems put down for de-infection.
Nice one, that every IT people around saw coming years before. Cluelessness of IT mgmt was beyond imaginable ...
Execs keep flinging money at us
means execs begin to give a little more money for cybersecurity, not that people in charge of cybersecurity are standing under tons of bank notes falling from the sky.
There's something positive: at least execs begin to understand there are real threats out there, and that the risk does exist. It's a progress from total ignorance.
Many are far from realising how serious it is and all the efforts to make, but it's nonetheless a step in the right direction.
In my experience, we have managed to gear up reasonably well to serve desktop security needs.
Chat logging, key logging, process monitoring, securing local admin accounts. Regular user education. It's not perfect, but if you want a web browser you have to live with the vulnerability that creates.
The bit that is much weaker is in operational technology. But the cost of bringing it all up to current standards, to say nothing of access to the business' physical kit to do such upgrades is genuinely prohibitive. To such an extent that building new stuff in parallel then shutting off the old may be more practical - not very practical at all.
Some basic needs in OT world need to evolve too. Firmware management is a particular pain in the ass. No USB sticks to upload formwarez so how do you update? No site wifi, but moron contractor plugs in generic off the shelf router for 'convenience' exposibg all and sundry. Yes, we have a long way to go.
A big attack might force the issue. Just saying.
Surely part of the problem is identifying how much to spend on prevention (i.e., effective IT security) compared to cure when something goes wrong? There is effort in training people not to respond to phishing emails, and that effort costs time and money. And most emails are not phishing attacks (really they aren't) so management sees the effort in training and reviewing each email for phishing attacks as a cost, rather than insurance.
The difficulty in estimating the actual costs of an attack are great. In one company where I was consulting in-house, they got the infamous 'love bug' email. Which did absolutely nothing. All of the people there were solely interested in making money, so had none of the VB or other files it attacked on their machines. All we had to do was ban the web sites it contacted at the firewalls and delete it, didn't even have to shut down a single machine. Other organisations were not so lucky.
And also, management, like everyone else in the organisations, just want to get one with their jobs and not bother trying to understand 'irrelevant' things like GDPR, InfoSec, or Business Continuity until something happens and then they just want to be told what to do. Senior management, on the other hand, really ought to understand threats to their business, but many are only there for 5 years (how long did each of the last 3 CEOs at, say BT last?), are on millions of pounds / dollars a year, and will leave with a handsome pay off (e.g., Sir Fred Goodwin* https://en.wikipedia.org/wiki/Fred_Goodwin ). So the risk to themselves is small compared to the risk to the customers and staff.
*Quiz question: What is the difference between Sir Fred Goodwin, chair of the Royal Bank of Scotland, and Sir Terry Wogan, disc jockey, broadcaster, supporter of 'Children in Need'? Answer, one had a qualification in banking, the other is Sir Fred Goodwin.
Start at the grass roots. We have compulsory IT cyber-sec training every month, they often repeat the usual stuff also teach new stuff. IT bods fly through it but forcing every person in the company to be nagged every month about the easy stuff "check the URL protocol", "look for the padlock", "don't ever open attachments", etc. If you don't take part you get named and shamed on an email blast at the end of the month, "Please can those on this email list complete this month's cyber sec training before end of Friday. Failure to complete it will result in report to your dept head.".
It's all a big arse covering exercise of course to put in our company brochure ( "All our staff are fully trained in latest..." ) but if one less person has to have their laptop rebuilt due to stupitdity then it's saves our desktop support guys some grief.
Give my shop some due, they've hired 3 distinct sec bod roles, one for cloud tech, one for on prem and one for purely IAM stuff, they chase everyone constantly. They've put tools, agents and such like all over the shop. There's a regular monthly online forum you can attend where they all lay out the next month's work, plands and such like.
Must admit that since they actually started throwing money, last 3-4 years now, at the security problems now things are actually improving at a serious lick in my place. We now have people can go to for proper advice if we feel someone is doing something stupid and risky like blasting out a full app dumps over plain FTP or public cloud shares!!!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
