If you find that your security has been compromised, the
normal approach the most businesses take to addressing it goes something like
this...
Step 1: Admit you have a problem.
Step 2: Blame someone else.
Step 3: Hire a lawyer.
I'm going to spend some time on step 2, as I think that
this is where the process really goes off the rails. Before we can blame someone else, we need to
decide who to blame. All too often
instead of blaming the attacker, we blame our IT department for not managing
our systems appropriately. How could
they possibly have let this happen?
The answer is depressingly simple: senior management are
taking the ostrich approach to security management. If I can't see it, it can't hurt me. If I stick my head in the sand, I can't see
it. I know how to stick my head in the
sand. Problem solved!
The outcome of this approach is that the perennially
blamed IT department are not given guidance on what they should be protecting,
how they should be protecting it, nor the training to protect it in the first
place. Most IT departments simply are
not competent to answer the question: "Are we secure?". The only honest answers they could give are
"I don't know" or "As best I know how", but this isn't what
management want to hear, so this isn't what the IT department says.
To quote Spaf's first principle of security administration: "If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong."
Sand is cheap. Real security is a lot more valuable.
Phil Kernick Chief Technology Officer
@philkernick www.cqr.com