[Update 3/19/09: I’m cleaning out some unfinished posts that I didn’t want to lose, so I’m just publishing them as is. This post is a bit of a rant from summer 2008, but I feel I wanted to make some points about how IT may talk all pretty about ‘aligning with business’ but really we’re probably always going to be stuck in some ‘silo’ of some fashion no matter what. Also, entities are simply not doing the simple security things correctly. This compounds the ‘silo’ problem… I wonder if it would help if ‘business aligned with security?’]
Talking in our team meeting this morning at work, and it became a bit of a cynical day to start out. That is one thing about being in IT and being security-conscious (or being in security)…you can become cynical and negative extremely quickly, and often. At least for many of us, we keep the venting in the back rooms.
We were talking about some of the breaches that have been occurring in recent years and how they are still only slowly pushing proper security measures. Interestingly, it seems that most, if not all, of the media-covered breaches are the result of stupidity on the part of users, or very simple mistakes on the part of the victim company or person. Perhaps really talented hackers are not getting caught and maybe a lot of those more subtle attacks are being buried in corporate bureacracy and fear, but I truly think most of the incidents are borne out of mistakes or opportunity for the attacker.
This means that a depressing number of these were preventable. And a depressing number of these make us corporate goons highly frustrated because we talk and talk and demonstrate and warn about the same issues. Not much of this stuff is new to those of us with half common sense.
Ask your employees who is responsible for data security, and I would be willing to bet that half or more will say IT. Another small slice will act smart and say everyone, but they’re just supplying the right answer without really believing or living it. Very few will answer and truly believe that it lies with everyone. So that puts the burden on IT, for the most part.
Companies complain when we work in a silo, vacuum, or do things on our own that affect their job without other people’s input, no matter how inane or useless that input may be. Which is weird, since we are supposed to do things on our own, like, you know, security.
We can often complain about lack of action or preventative planning in the upper ranks of a corporation. “It won’t happen to us,” is a common refrain, whether explicitly spoken or implicitly implied (I wonder if you can explicitly imply something…). But one that really annoys me is the statement, “We already have adequate security.” I really hate that, especially when you ask the IT guys if we have adequate security and we immediately either give an “I-know-better” smirk or we look suspicious wondering what politico-business trap we’re about to fall into based on our response. Top-down, there is a gap where eventually a C-level just doesn’t know the nuts and bolts and lives in their own little reality. Not all of them, but that is a very easy cloud to fall into, especially if they feel they should be a leader by example and trust their employees without validating that trust with nothing more than, “it’s never happened yet!”