Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Here's the thing. While most people on HN tend to be in the global top performers when it comes to IT, the vast majority of businesses are simply ripe, low hanging fruit just waiting to be breached, and almost every time it is because of a failure of management to understand the importance of those things. Way too many 60 year old men who barely know how to use a computer are at the top of orgs, and are stuck in the janitorial cost sink fallacy of IT. I also put a lot of this on the heads of IT directors or senior sysadmins, who are failing to convey the importance of the matter to those C-levels in terms they understand.

I have learned this the hard way, having started up an MSP at one point and done a lot of contracting to help orgs unfuck their infra, I have seen it all first hand, from 5-30 person lawfirms to fortune 500 oil companies to unicorn startups. I have been the senior sysadmin who failed to convey things in a way the got through C-level thick skulls, and most of my career trajectory has been angled towards keeping up with the sysadmin transition to devops while learning how to fill that gap so I don't repeat those mistakes. I've failed multiple times, but each one is a lesson I learn from and try to apply to the next place, and sometimes C-levels literally just don't care and can't be reached, and nothing happens till a major breach or lawsuit costs lots of money.

To me, this is the importance of the CTO/CIO roles. The problem is, again, the vast majority of America isn't SV. I would say ~%80 of companies I saw didn't even have those roles, and if they had someone in that role but without the title (like IT director), they often didn't have a seat on the board or any real influence with the C's. I have also seen those roles taken by people who should be in other positions but enjoy the "C" title too much, to the detriment of the org.

Sorry, this got kind of ranty, but it's an issue I obsess over in trying to find better solutions for. Basically I'm learning how to hack management instead of computers these days.



> I also put a lot of this on the heads of IT directors or senior sysadmins, who are failing to convey the importance of the matter to those C-levels in terms they understand.

Why? Understanding the risks involved before making a decision is the responsibility of executives. If they calculate that the risks are minimal and crackers prove them wrong by causing damage to the tune of millions, they have only themselves to blame.

How many times have people explained the need for things to be done properly, only for proper infrastructure to be written off as too costly and unnecessary? The fact is they are taking a calculated risk: they get to spend less on information security by assuming nothing bad will happen. Claiming that it's the fault of system administrators is just yet another power move: scapegoating in order to avoid responsibility.

They make the decisions and should face the consequences.


I'm torn on this one, because for years I took your position... but there were numerable times I saw directors/seniors fail to convey that information in an understandable way when the C's might have been open to it when presented differently. There are certain cases were the C's don't listen at all, and theres not much that can be done, but there are also cases where the C's just haven't been presented the information properly.

This is why I am increasingly putting importance on the skills of the Director or CTO/CIO position, because they need to be the kind of person who can handle the board/meeting room but still understand the tech enough to a) not be fooled or lied to and b) understand the real business risks and weigh them properly while overseeing the implementation of solutions.

So I understand and am sympathetic to your point, but I think there is a lot more nuance there. Yes, ultimately the buck stops at the C's, but as the sysadmin who has failed to talk to them well, I still feel like we could do a much better job on our end. This is why I think a lot of more senior devs/ops types of people could do extremely well in the C positions if they got their MBA and had a C-level mentor. Trying to do the opposite, where you try to tech-ize a traditional MBA C-type fails much more often in my opinion, but, that's who dominates those positions. I see market opportunity!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: