In a short series of webcasts The Register's expert panel will be tackling the current state of the security market. Over the course of the next few weeks the experts will be looking into a variety of topics, from treating the main risks to the importance of an evolving security solution, and what 2009 has in store. Starting …
they missed the basics
Two fundamental steps before setting out on *any* programme of change:
* How will we measure its success?
* What value does it have (i.e. how much are we prepared to spend)
Now I know that "security" is one of those icky, intangible things, like fun or quality or safety. However if an organisation can't quantify its goats, it will never know when they've been met. How will the organisation know when it has enough security? Or too much?
So far as value goes: you really do need to quantify this. Are you willing to spend 100K to secure your data - and which pieces of data, exactly? Until an organisation is willing to pledge real, hard cash to improving security (or anything else for that matter) it's not really taking it seriously. Another measure of seriousness is who gets fired if something goes wrong? If it's merely a little manager somewhere, that smells of scapegoal - it's down to the seniors and directors to carry the can.
Personally, (god forbid) if I was a CIO worrying about how to secure an organisation, I'd give serious consideration to finding out how many problems were down to the staff, and what would be the worst thing to happen if they all had internet access removed, forever.
Where to start with IT security
No 1 : How to make sure someone else other than you handles security.
Pros for security work : more glamourous than backup strategy, better paid if you're an independent consultant
Cons : Everyone hates you unless you're flying in rescuing a disaster. You're purely a cost. If you do your job right you're not appreciated. If you don't do your job you're even less appreciated.. Having to deal with politics where you're not told the real reason this security breach occured..
Unless you have complete management backup - including the ability to enforce security policy, and are paid lots, run away very fast.
Where to Start in IT Security No 2:
2a) How to be a hard nosed capitalist and make security work for you
b) Other jobs more rewarding and less disliked than this.
Whilst this is great perhaps before the reg post ANY more security stories they might want to oh I don't know use SSL to transport passwords from this comment form? Perhaps i've just missed some clever trickery but if i've not it might be worth remembering that some people use the same password / e-mail for lots of things, pretty poor show really....