It's politics - there is a great deal of "enterprise building" and posturing in my .gov organization. Even though there is a fairly reasonable effort at InfoSec on the systems - there is way too much politics at the mid level back end support. For example; the vast majority of IT managers do not have a background in IT and have come from other disciplines based on the necessity at that time. The major problem with this is "outsourcing" when the federal employee rarely lacks the skills or credentials and is relegated to being a project manager. They are depending on contractors to do the technical work. This isn't the problem but they often delegate the work with all the responsibility but without the authority. Meaning, everything has to pass through the hands of 3 or more PM's before it gets implemented. Though they follow the "defense in depth" security principles fairly well, they are too top heavy and inept to react to a coordinated attack on the systems. We are reactionary to upper level management's decision to manage the security by RCERT announcements. Our patching system is designed entirely around these announcements where the main thing they are concerned about is reporting compliance to the regional managers.
This emphasis on passing around the spreadsheets creates a larger problem where so much time and effort is placed on this upper level compliance there is little time for ensuring the little things that ensure disaster recovery are being done. (backups, auditing the logs, etc.)
The bottom line is there are to many hands in the pie and to many egos to contend with if/when things go bad. It turns into a blame game real fast and everybody starts entrenching themselves to protect their careers. It's entertaining to watch but the problem is these folks are charged with protecting vital SCADA systems and the politics usually gets ugly fast when people get threatened with "congressional's" every time they try to do their jobs.
This emphasis on passing around the spreadsheets creates a larger problem where so much time and effort is placed on this upper level compliance there is little time for ensuring the little things that ensure disaster recovery are being done. (backups, auditing the logs, etc.)
The bottom line is there are to many hands in the pie and to many egos to contend with if/when things go bad. It turns into a blame game real fast and everybody starts entrenching themselves to protect their careers. It's entertaining to watch but the problem is these folks are charged with protecting vital SCADA systems and the politics usually gets ugly fast when people get threatened with "congressional's" every time they try to do their jobs.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/641/2301#2301