If you find that your security has been compromised, the normal approach the most businesses take to addressing it goes something like this...
Step 1: Admit you have a problem.
Step 2: Blame someone else.
Step 3: Hire a lawyer.
I'm going to spend some time on step 2, as I think that this is where the process really goes off the rails. Before we can blame someone else, we need to decide who to blame. All too often instead of blaming the attacker, we blame our IT department for not managing our systems appropriately. How could they possibly have let this happen?
The answer is depressingly simple: senior management are taking the ostrich approach to security management. If I can't see it, it can't hurt me. If I stick my head in the sand, I can't see it. I know how to stick my head in the sand. Problem solved!
The outcome of this approach is that the perennially blamed IT department are not given guidance on what they should be protecting, how they should be protecting it, nor the training to protect it in the first place. Most IT departments simply are not competent to answer the question: "Are we secure?". The only honest answers they could give are "I don't know" or "As best I know how", but this isn't what management want to hear, so this isn't what the IT department says.
To quote Spaf's first principle of security administration: "If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong."
Sand is cheap. Real security is a lot more valuable.
Phil Kernick Chief Technology Officer