Security: It's time for management to get a clue

IT managers must educate their bosses about security issues

It’s easy for people to say that they’re extremely or very confident that their IT department’s security is up to par, and it’s even easier for executives to become convinced of a company’s invulnerability to computer-borne attacks. Even though our respondents were no more confident than they were last year, they still seem to be convincing management they know what they’re doing.

That’s a little frightening, because IT security is like an iceberg in that nine-tenths of the threat is invisible. Judging by some of the comments that respondents to the 2004 InfoWorld Security Survey made, plenty of shops are still rearranging deck chairs instead of watching for trouble.

There is a wealth of wisdom in these snippets, but also some hard reality.

There are observations such as, “Our upper management is of the opinion [that] our files are of no interest to anybody else; the system we have is good enough.” And there are telling insights, including, “[Directors are] sticking their heads in the I-don’t-know-anything-about-IT sand,” and “Upper management [is] not willing to budget money for security purposes until a successful intrusion happens.”

I truly sympathize with the individual who spent almost half a page outlining his problems with management and the shortcomings of his infrastructure, and added, “I just hope I’m not around here when they come looking for a scapegoat.”

I’ve been there and yes, it stinks.

But I have to wonder how many IT departments have addressed the task of educating upper management. Unless your shop is in the business of network security, there’s no good reason to assume that directors and management are aware of the nature of the threat to IT; after all, they’re businesspeople, not technologists.

But when the people with the knowledge don’t take it upon themselves to tactfully explain to the higher-ups where the money goes and why it has to be spent, it’s no wonder that budgets don’t get approved and remedial work remains incomplete. The cost of responding to computer-borne attacks is one metric that applies to companies large and small. Even if you’re lucky enough to escape being covered by one or more of the new data protection/retention laws, downtime has a way of getting attention.

Even if you don’t have the budget you want, there are two constructive things you can do: Be creative with the resources you have and avoid saying “I told you so” when a problem erupts. Either way, you’ll stand out from the crowd.