[privacy] 26 IRS Tapes Missing in Kansas City

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Jan 22 16:37:52 CST 2007 

On Mon, 22 Jan 2007 16:00:50 CST, Brian Loe said:
> The caseworker. In the place you describe its obvious that the manager
> could get rid of most of his IT staff and not hurt or improve his
> position. At the least, he can drop the guy that hasn't figured out
> how to encrypt a hard drive and hire someone that can.

This, of course, implies that you (as the manager) understand that knowing
how to encrypt a hard drive is important enough to fire somebody who doesn't
know how.  And I don't think anybody expects the clueless IT guy to fess up
voluntarily and ask to be fired because his skill set isn't big enough.

(And it's not "obvious" that firing "most of" the 3 guys wouldn't make things
worse - although it doesn't take a *lot* of tech clue to replace dead hard
drives and install software patches/upgrades, it's the *very* rare IT shop
that's so brain-dead that canning them and making the social workers do that
stuff instead wouldn't be worse. A *LOT* worse.)

I'll overlook the fact that most non-IT managers actually *believe* that
computers are supposed to be balky things that rarely if ever work smoothly,
so if things mostly-sorta-kinda work 90% of the time, they think they're
actually ahead of the game.  So they have no reason to expect better from
their IT staff.

Bruce Schneier has pegged the basic problem with large classes of security
issues, pointing out that it's what the economists call 'externalities'.
The person making the decision has only local feedback regarding the true
costs, and there's no functional feedback loop regarding the costs to people
who didn't have a say in the decision.

The end result - the social services manager will *remain* too busy trying to
do social-services stuff to bother fixing the IT problem until it actually
matters *to him* (possibly during an annual performance review).  Of course,
the people *doing* the review will remain equally unmotivated to make IT
security part of the review process, until something pressures *them* to
change.

(For an example of how this works, see how quickly the US Govt moved to require
full-disk encryption once the VA exposure of millions of records ignited a
fire under the appropriate people.  Feedback of the *actual* costs happened,
and change is actually taking place).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.whitestar.linuxbox.org/pipermail/privacy/attachments/20070122/07cf6a63/attachment-0001.pgp

More information about the privacy mailing list