Yesterday, the San Francisco Chronicle ran another in the endless stream of stories reporting that the Internet is like the Wild Wild West and that we all need to be careful there.  This common theme does not bother me, but rather, I think, helps to raise awareness among the general public of the dangers, threats, and vulnerabilities associated with us all tying our computing systems together with unknown entities via the Internet. 

news-icon

Please give it a read and then come back for the part that really bothered me:

San Francisco Chronicle: Cybersecurity – or lack thereof – alarms experts

“Security experts described something alarming Tuesday in a report: Government entities and commercial organizations are failing to protect themselves effectively in the areas in which they are most vulnerable…

The reason that these stories bother me is that they usually end up the same way: compartmentalizing information system security into the pigeon hole of a nameless IT Security Department and blaming all of the problems – and solutions – on them.  See how they did it here:

"If security guys are not fixing this, it’s time to get new security guys," Paller said.”

As information professionals, you know that this issue is far more complex than the general mass media wants to digest.  To pin “fixing this problem” on your information assurance team is one step above planting your head in the sand and wishing it away.

Here are a list of all the reasons, beyond their control that might actually be contributing to the problem:

  • developers who attempt to hide security flaws rather than fix them – security through obscurity
  • manufactures who hide hardware vulnerabilities for marketing reasons
  • users who fail to follow policy
  • unnecessarily mixed computing environments
  • management pressure to get new systems on the network before security testing is complete
  • management decisions that prevent servers from coming off-line for patch and update regularly
  • Cost of upgrades deferred
  • Incompatibility of patches
  • Delays due to quality assurance testing
  • Delays in hardware vendor compatibility validation for patch level
  • Unavailability of mobile hardware due to travel and vacations

Security is a critical function and is surely important.  Do not underestimate the team factor involved in its execution, though.  It is not simply the “IT guys” fault… there is no I(T) in Team!

That is my Information Technology Thought of the Day (ITTOD) for September 17, 2009 ©Scott Coughlin

Be Sociable, Share!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.