I have a unique job that takes me into companies of all size. Fortune 100,500,1000 to mom and pop shops I have been in them all at a detailed level of their IT Security operations. Overall I have become extremely concerned as a Security IT Professional, scared as a consumer, and frustrated by the amount of ignorance and naivety by companies attitude and approach to IT security.
I understand everything is money and people claim that money is tight, or the economy is used as an excuse to not spend money. Either way there are aspects of a business that requires expenditures regardless. IT Security is one of those must haves. But from what I see on a regular basis is that IT Security is looked at as an IT group luxury and not as an Enterprise Necessity.
One reason, I believe, is that the decision makers and check writers are not IT people. Even CSIOs, CTOs, or ‘technical’ C-Level Management are not technical by background, they are business people who learned enough IT to be dangerous. From that lack of comprehensive understanding it makes IT security (software) more intangible and therefore harder to justify investment.
The best IT Security is the one that you never hear of. One that keeps you off newspapers and websites for Breaches. One that allows the IT staff to do a tremendous amount of work and keep things running without needing to add more staff. But you can’t touch it. You can’t see it. Why would I spend $1 million for the invisible?
There are many beautiful physical buildings companies reside in. They all have one thing in common. Elaborate and extensive physical security entrances. Guards, turnstiles, cards, ID checks, escort requirements, cameras, controlled access to floors, time limits, and so on.
The front door security is an Enterprise requirement to protect the physical access and control who comes and goes in and out of the buildings. Why not put that same stress for the IT systems? What’s more damaging, the loss of a few laptops or a breach where a few hundred thousand account numbers or other critical data that will splash you name all over the news? Then add the fines and penalties on top of it? A ticked off employee leaks out or takes proprietary data before they quit?
Most likely if they are not putting that stress on IT, those laptops that might get stolen have SSNs and account numbers sitting on them anyway.
Yes, there is an associated risk that something might happen. Someone might also walk in and out of the building with something. But a few hundred or few thousand potential people is a touch off from the millions that can come from all angles on the Internet or more likely someone internal doing something and you never knowing about it.
Unfortunately I think the focus on the intangible IT security won’t be placed on it until that breach or massive failure happens. By then it’s too late.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.