The evolving role of the IT security manager
Security has long been the poor cousin of IT. As any security professional knows, the way we have traditionally implemented security is tantamount to a technological afterthought. Through the years we have attempted to block holes, protect the periphery and lock down access rights for running systems, in the knowledge that IT …
"...the way we have traditionally implemented security is tantamount to a technological afterthought..."
Ahhh! That will be Microsoft you are talking about then :-)
...are the best solution for many situations, because even larger organizations cannot amass the expertise to detect data exfiltration (e.g. by spearfishing) in a timely manner.
Of course, IT departments have to carry part of the burden by patching in a timely manner, locking down PCs and migrating to modern versions (see IE6.0).
Network defense requires a lot of expertise and that is simply often non-existent in IT departments.
" ‘the business’ is in a far better position to decide the risks, than anyone in IT"
Perhaps that should say "the business should be in a better position..." - if the management actually understand the risks and and can make an appropriate decison, then I would agree. However, from previous exerience with many companies, most managers at all levels tend to seriously under estimate risks and the costs involved.
Far too many managers focus on their own areas of responsibility and have at best a limited knowledge of how incidents will affect the overall business - and there is all too often a culture that supports a policy of "it's someone else's problem".
" ‘the business’ is in a far better position to decide the risks, than anyone in IT"
Provided that they know about the IT issues and can relate that to business success. That is like saying "provided that they have ten meters of wingspan and good muscles, pigs can fly".
Most manager are ignorant idiots who could not care less about IT security. They will only do something as soon as the dirty emails to their mistress are being posted on the USENET. "I approved the purchase of Norton AntiVirux for the whole company, can't you see I am concerned about security ? And now please leave me alone with my favourite toys powerpoint and excel. Also, I have to review the latest youpr0n.com clips. Carpe Diem !"
You're absolutely right on all counts of course. Let me say the vantage point of the business is a far better place than that of IT. Ultimately, business management is responsible for information security, not IT management - so there is a question about taking responsibility here. Perhaps the simple question is "who goes to jail?" - but while IT is constantly trying to second-guess the risks or patch holes caused by poor attitudes, nobody gains.
Sign up, sign up for The Register's weekly IT security newsletter - click here
