funsec mailing list archives
Re: [privacy] 26 IRS Tapes Missing in Kansas City
From: Valdis.Kletnieks () vt edu
Date: Mon, 22 Jan 2007 17:37:52 -0500
On Mon, 22 Jan 2007 16:00:50 CST, Brian Loe said:
The caseworker. In the place you describe its obvious that the manager could get rid of most of his IT staff and not hurt or improve his position. At the least, he can drop the guy that hasn't figured out how to encrypt a hard drive and hire someone that can.
This, of course, implies that you (as the manager) understand that knowing how to encrypt a hard drive is important enough to fire somebody who doesn't know how. And I don't think anybody expects the clueless IT guy to fess up voluntarily and ask to be fired because his skill set isn't big enough. (And it's not "obvious" that firing "most of" the 3 guys wouldn't make things worse - although it doesn't take a *lot* of tech clue to replace dead hard drives and install software patches/upgrades, it's the *very* rare IT shop that's so brain-dead that canning them and making the social workers do that stuff instead wouldn't be worse. A *LOT* worse.) I'll overlook the fact that most non-IT managers actually *believe* that computers are supposed to be balky things that rarely if ever work smoothly, so if things mostly-sorta-kinda work 90% of the time, they think they're actually ahead of the game. So they have no reason to expect better from their IT staff. Bruce Schneier has pegged the basic problem with large classes of security issues, pointing out that it's what the economists call 'externalities'. The person making the decision has only local feedback regarding the true costs, and there's no functional feedback loop regarding the costs to people who didn't have a say in the decision. The end result - the social services manager will *remain* too busy trying to do social-services stuff to bother fixing the IT problem until it actually matters *to him* (possibly during an annual performance review). Of course, the people *doing* the review will remain equally unmotivated to make IT security part of the review process, until something pressures *them* to change. (For an example of how this works, see how quickly the US Govt moved to require full-disk encryption once the VA exposure of millions of records ignited a fire under the appropriate people. Feedback of the *actual* costs happened, and change is actually taking place).
Attachment:
_bin
Description:
_______________________________________________ privacy mailing list privacy () whitestar linuxbox org http://www.whitestar.linuxbox.org/mailman/listinfo/privacy
Current thread:
- [privacy] 26 IRS Tapes Missing in Kansas City Fergie (Jan 19)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Brian Loe (Jan 19)
- <Possible follow-ups>
- Re: [privacy] 26 IRS Tapes Missing in Kansas City RMueller (Jan 20)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Shyaam (Jan 20)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Valdis . Kletnieks (Jan 22)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Shyaam (Jan 22)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Brian Loe (Jan 22)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Valdis . Kletnieks (Jan 22)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Brian Loe (Jan 22)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Valdis . Kletnieks (Jan 22)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Brian Loe (Jan 23)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Valdis . Kletnieks (Jan 23)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Brian Loe (Jan 23)
- Re: [privacy] 26 IRS Tapes Missing in Kansas City Shyaam (Jan 20)