Feeds

Do we get the IT security we deserve?

Balancing technology with governance

  • alert
  • submit to reddit

High performance access to file storage

In recent weeks we have run a number of connected "articles" about IT security. In this, the last article in the series, we reflect on security as a whole, and reviewing some of your feedback.

We kicked off with a piece on "why IT security matters" . While we said that it would be a rare IT person who saw security as unimportant, as one reader put it, “I've never worked in any company where security was considered near the top of the list if at all.”

This is a shame, given what we said about the "threats" existing both ‘out there’ and within the corporate boundary. We don’t want to act as scaremongers, but one thing is for sure – attacks are becoming more targeted, and seeing security as someone else’s problem is ever less of a valid option.

Of course there are a range of security products which can help, but despite their continued development we have to recognise that they can’t exist in isolation. “Just like you can't pop a pill that'll make you fit and healthy, you can't plop a ‘security’ product into an environment and solve all your woes,” says Reg reader Pete.

This brings us back to the mantra of security-is-a-business-issue, which we highlight in a podcast on how to deal with the risks, here. Sometimes we feel we’re sounding like a broken record, but it is clearthat many organisations have yet to get the message.

Unfortunately, attitudes like those highlighted above can lead to security being sold more opportunistically, dealing with specific threats and solving short-term problems rather than trying to overcome the long term issues. Is it any wonder we end up with dissenting voices? As Pete continues: “Sadly the security industry is packed full of snake-oil sales people, proffering a quick solution. It's also packed with decision-makers after a quick-fix, due to the short-term planning and results based reward system of most companies.”

And there we really do have the nub of the matter. We get the security industry we deserve – and if decision makers are thinking and acting tactically, should we be surprised that the industry should respond in kind? If we really do want to get the kind of help we believe would work best – "to reduce business risks" through appropriate use of technology – we need to start asking the right questions of our suppliers.

On all sides, the consensus is that seeing IT security as a technical issue is missing the point. “Security starts with people, says reader Jake. Adds another reader, “It’s a business issue we’re dealing with, and it’s business information we’re protecting. When we talk about IT security, we should really make it clear that it’s not so much the IT we're protecting, but rather the information which is contained, processed or transferred across the systems.”

How should this be done? From your comments, the answer would seem to lie in good governance. But what does that mean, precisely? ‘Governance’ is a word that has been banded around with considerable zest in recent years. While there may be no real consensus, at its heart is the convergence of two principles – ‘doing the right thing’, aka making good (and indeed, ethical) decisions, and ‘doing things right’, i.e. running an efficient shop which delivers quality products and services.

“I have come to the conclusion that security is the result of good governance, not an end in itself,” says Steve Kay. “No-one protects a system for its own sake, but for the sake of what it allows access to.” Good call – but with security treated in isolation, it can be too easy for it to become an end rather than the means, with the inevitable consequences. “When businesses can't be bothered to govern, and allow the tools to dictate the end result, they will – quite deservedly – get poor results.”

An inevitable downside of weak governance is the need for stronger compliance – that is, if organisations can’t regulate their own behaviours, then this increases the need on the legislators and regulators to step in, which imposes yet more demands on the thinly-stretched IT department. “Any data protection security legislation is likely to cause additional damage, except to security consultants,” says Britt Johnston. “So one aim of all IT departments should be solutions which are good enough to avoid extra legislation.”

Ultimately, good governance holds the key to breaking what is a vicious circle between risk avoidance, increasing legislation and adoption of inadequate technologies, themselves used in a tactical manner. There are indeed practical steps that can be taken by organisations large and small, depending on what is their starting point – we have covered some of these in this series of articles. However such steps, if taken without the umbrella of a broader strategy, will only postpone issues rather than dealing with them head on.

If there is one thought we would like to leave you with, it is this: you are right. Security is not about the detail of encryption algorithms, or the configuration of a firewall. It absolutely is about business engagement, classification of information assets, implementing appropriate technologies, recognising the people issues and moving forward with a pragmatic, architectural approach based on appropriately set policies. Within this context, security tools can help – but let nobody expect them to achieve their goals in isolation.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.