informa
/
Risk
Commentary

Companies Lack Respect For Infosec Pros

While a lot of my friends are off having a blast as ShmooCon in D.C., many more of my infosec friends and I are, instead, wishing we were there. It's tempting to rant about how little infosec training many of us actually get, but there's another problem I've seen several examples of lately -- infosec professionals getting stuck wearing the hat of sysadmin or network administrator.
While a lot of my friends are off having a blast as ShmooCon in D.C., many more of my infosec friends and I are, instead, wishing we were there. It's tempting to rant about how little infosec training many of us actually get, but there's another problem I've seen several examples of lately -- infosec professionals getting stuck wearing the hat of sysadmin or network administrator.This road certainly goes both ways, but I'll stick up for the infosec professionals in this post since they're my brothers-in-arms, so to speak. For example, one of my friends currently holds the title "information security manager" for an organization that has approximately 20,000 hosts statewide. His job description specifically states that the majority of his time is to be spent with security activities, such as log monitoring, IDS, antivirus and patch management, incident response, and such.

But how much time do you think he gets to work on those things? The current approximation is about five hours or less a week. It turns out his Unix admin skills have proved to be more valuable to management because he now manages the Unix-based virtual server environment, Linux-based network and host monitoring system, and a few Linux servers that the sysadmins weren't knowledgeable enough to properly manage themselves.

Every time I talk to him and hear his war stories, I'm disappointed. For those of you managers out there, stop making your security guys double as sysadmins, network administrators, and help desk technicians. I can name about a half-dozen people in a similar boat, both in the private sector and academia. It's not a particular industry that is indicative of the problem.

From speaking to my friends, the real issue seems to be about a lack of respect for information security. The organizations they work like saying they have an IS department, even though the individuals in those positions have little power and do very little security. If you're one of these managers, show a little love and respect for IT security. The guys in those jobs might just save your company from a humiliating data breach -- or worse.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5