Hacker News new | ask | show | jobs
by nradov 1216 days ago
The lesson here is that the City of Oakland and similar organizations shouldn't be deploying such systems at all. They should lay off most of their IT staff and outsource their entire IT infrastructure to one of the large vendors who has the resources and technical competence to deal with advanced persistent security threats. Blaming the OS vendor won't accomplish anything.
2 comments
alephnerd 1216 days ago
Microsoft is an MSSP as well. And they are one of the multiple vendors the City of Oakland uses. But vendors can only do so much for organizations like Oakland as the final decision and implementation ends up getting stuck in red tape and bureaucratic hell between multiple disjointed teams.
link
nradov 1216 days ago
What I'm proposing is that cities should outsource their entire IT infrastructure to a single vendor who runs the whole environment, including security. City employees shouldn't have any authority in these issues beyond vendor selection. I understand that might be politically difficult but what is the alternative? It isn't reasonable to expect city employees to have the skills and resources to defend against advanced persistent threats.

There is still room for city employees and other vendors to exert some control over higher level IT services and applications. But the core infrastructure needs to be under the control of a single competent vendor.

link
PeterisP 1216 days ago
IMHO the core issue is a lack of resources - they can't afford an outsourced vendor that will do stuff properly just as much as they can't afford to do the same thing in-house. There's barely a budget to get hardware, and definitely not to deploy it properly; there's barely a budget to replace what dies of old age, and definitely not to do proper maintenance and updates.
link
nradov 1216 days ago
Then the Oakland city council should make hard choices and reduce discretionary expenditures in other areas. That's a shame and it will hurt underprivileged city residents who are already struggling, but they need to face reality. I hate that we essentially all have to pay a "tax" to protect against IT security threats but what is the alternative? There doesn't seem to be a cheaper option that actually works.
link