Poor Security Due to Lack of Accountability?
Results 1 to 7 of 7

Thread: Poor Security Due to Lack of Accountability?

  1. #1
    Senior Member
    Join Date
    Oct 2001
    Posts
    638

    Poor Security Due to Lack of Accountability?

    I just read an interesting article claiming "Security is poor because vendors are not held responsible". It basically says that organisations don't feel any need to address security related issues because they are not be held accountable to do so (especially financially).

    <SOAPBOX step="up">
    It is my opinion that this is something that affects the whole of IT industry. IT professionals are not accountable for what they do, not to the same level as professionals in Medicine or Law for example. Huge IT companies can still get away with releasing software that doesn't work. If we in IT are to gain any credibility as a profession, we must start taking responsibility for our work.
    <SOAPBOX step="down">

    You can read the full article here.
    OpenBSD - The proactively secure operating system.

  2. #2
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    Posts
    1,211
    One of the main problems is that if some non technical person is doing the hiring they assume that just because youíre great at setting up networks that youíre also a pro at network security. And of course your not going to screw your self out of a job by pointing out your shortfalls. So they hire you and you build them a network with more security holes than you moms un-patched win98 box.
    Its not software piracy. Iím just making multiple off site backups.

  3. #3
    Senior Member
    Join Date
    Mar 2002
    Posts
    425
    Smirc,
    I agree with the point that IT people need to take responsibility for their work. I think that should hold true for all professions. But to what evel do you take that? I once worked in a grossly understaffed IT department. Luckily I don't anymore, but sometimes we had to stand a system with crappy security because that was what management ordered. Should we take responsibility? No. Management expeceds us to do a perfect job with half of the needed manpower and strict schedules that led to unfinished security procedures. Some of the responsibility has to fall back to them too.

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    638
    Smirc,
    I agree with the point that IT people need to take responsibility for their work. I think that should hold true for all professions. But to what evel do you take that? I once worked in a grossly understaffed IT department. Luckily I don't anymore, but sometimes we had to stand a system with crappy security because that was what management ordered. Should we take responsibility? No. Management expeceds us to do a perfect job with half of the needed manpower and strict schedules that led to unfinished security procedures. Some of the responsibility has to fall back to them too.
    Absolutely, management has to support their IT department in order for them to do a good job. For some reason, when the accounting auditers come in, management always busts their asses to make sure things are squared away. But when it comes to their IT department they don't want to know.

    I think managers need to recognise the fact that IT is here to stay and that it is now an essential part of doing business. They should adopt policies to reflect this by managing their IT infastructure as an asset. Good managers protect their assets, which is where network security comes in.
    OpenBSD - The proactively secure operating system.

  5. #5
    Senior Member
    Join Date
    Mar 2002
    Posts
    425
    Something I was told early in my training...

    "Security is a black hole that management hates. The throw money into the hole and never see any returns on their investment. On well secured networks, they can't see the threat that never reaches them. Therefore, they lower funding in an effort to save money. Of course, the security stance is diminished and will continue to diminish until an incident occurs, at which point they complain that the network should have been more secure."

    Until we get some managers that are more concerned about the long term than just this year's bottom line, security will always be just a "black hole".

  6. #6
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    Posts
    1,211
    Spending money on security falls under the preventative maintenance area of things. A little money on security is a lot cheaper then fixing damage done by a hacker. A prim example of this would be the collage Iím currently attending. One day the mail server I use to get assignments from was down. So I walked down to the IT department to ask how long it would be down for.

    Me: How long will the mail server be down for.
    It guy: About 24 hours
    Me: Um I kind of need it to get assignments
    It guy: We know but the server got a virus
    Me: didnít the antivirus software catch it.
    It guy: We didnít put antivirus software on it.
    Me: Why not
    It guy: Because it cost to much
    Its not software piracy. Iím just making multiple off site backups.

  7. #7
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    Well I can say this much and I agree that IT accountability is important and a must well at least it is now cause my neck is on the line day to day. I spent the first 6 months of my job 3 years ago locking down an un-documented network put together by some well paid consultant. Yes I'd call them back in because I could not follow the logic of 4 servers and 25 different ways of thinking. One area I see very lacking in professional behavior with many IT and they are sharp but young, they fail to understand business operations as in NO you cannot re-boot 3 servers fool around thinking it may work 50 people are on the system working, real basic stuff. IT people need a clear understanding of business operations they support. Is my network locked down and secure well today it was who knows what tomorrow brings. Best I ever got as accountability was the ok we will reduce that bill cause we didn't tell you nor fix it but after all we had to drive over to just look, it is called billable time when IT is driven by that it is quanity not quality that drives the person we all got bills to pay.

    The largets accountability issue out here are the users, after all you can filter the email attachments at the firewall, yet a user can go to their web based email and inspite of several warnings skipped over cause they wanted to read the fun email first. IT security and secure networks are only as secure as the weakest chain the user and well some people really should not have a computer. So I'd say I'm accountable, and reality is that many schools IT depts opt to do what well the reason your at school for to learn to be accountable for your own actions. Is it the fault of IT for not having the latest and expensive virus scanner license or is it the user that ignores all the information and wants to look at snow white? I'm lucky I have good owner management support and any security issue explained in business terms i.e. if we do not implment this here are the risks here are the libilities, and this is how it effects your bottom line. Like the thread I started what does net admin really do, well it's not all on the boxes, so I'd suggest some business classes and at least a clear understanding of business operations. I'd love to hold the IT person that came in when I was on vacation that caused a loop back error on part of a unmanaged switch area, thing is he will stand fast in I think this worked until I cleared the parking lot to the next visit. Yes accountable we must be if your not you will like so many consultants never be called back, of if you are a user IT sets the rules for good reason those boxes pay your salery, or provide your edu stuff, so IT could not afford the $, and will spend more effort finding the person resonsable for the damage, I waste 1/2 my day scanning for the latest exploits, virus etc not to mention M$ patches, while to many moron users just sit clicking away cause they can point at it. So in what portions to we as professionals become responsable for? IT is professional though not always business like or even PR or HR like gotta work hard in those areas also, users well some have no ethics even know right from wrong, so throwing money only last so long if no money is spent on the weakest link the user that either uses the computer to be productive or distructive, distructive seems to rule things now days.
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides