Solid answers to |
difficult questions, often
in humorous form.
A lot of people are interested in information security, and the number is growing. Maybe this is inspired by news stories of breaches or thefts of credit card data. Maybe it's because we find spies and terrorists who break in to government, banking, technology, and industrial systems. Or maybe it's because, deep in the recesses of our dreams, we really want to do all that. Whatever the reason, information security has shifted from a topic of concern that's dismissed to being a topic that big sectors of the population are worried about. Sooner or later, everyone has to address their own information security, whether it's preventive or reactive.
Business really likes information security, too. It used to be relegated to the lawyers and insurance people, who protected intellectual propery and peoples' private information. Those things are still going on, but now we have executives asking about hackers and criminals and IT departments everywhere are jumping in with both feet to buy whatever new gee-whiz-bang security doodad comes out. Vice presidents are also asking a lot of questions about compliance, which information security investments support, because (for maybe the first time in history) they can go to jail because of something that happens with a machine they have no direct control over. Seems vice presidents are willing to spend a lot of shareholder money to stay out of jail. Oh, yeah, and to do the right thing.
So what really is the right thing? Do we need ultra-hardened firewalls and umteen-gorillion-bit crypto? Maybe some artificial intelligence to monitor the network and spot sketchy traffic patterns? Keystroke loggers and forensic tools to watch every employee so we know they aren't stealing resources?
All that stuff is sexy, no question about it, and (I'll be the first to admit) it's a lot of fun to play with. It also tends to be really expensive, even beyond the initial capital outlay for software and hardware to run it on. These things all need care and feeding, and they don't do it themselves. If you have "an IT guy," expecting him to run all this will only guarantee that your return on security investment (ROSI) will be a loss, and it may not just be limited to the expense. Lost opportunities to deal with business while "the IT guy" is busy maintaining all this stuff can run into real money pretty quickly. If all this non-core technology breaks your enterprise, direct losses to the business can be catastrophic.
Everybody wants to be a gangsta until it's time to do gangsta stuff.
Security technology requires some specific supervision. In addition to the initial capital costs, you'll be needing to hire someone- or someones- to run it independently of the regular IT shop. You'll also need to buy support for the products so you continue to get patches and updates. Somtimes there will be integration issues that you'll need to bring the vendor in to help you resolve it. And on top of this, security investments (like all other IT investments) are usually depreciated over 5 years, according to GAAP rules. And because many security products require subscriptions to data feeds to keep running, stopping maintenance often makes the asset stop working, instantly bringing it's present value to zero.
Not a good story to tell investors and shareholders.
So what to do? It turns out that information security tends to fall into a couple of categories. I like to think of them as "basics" and "edge-cases." The basics include normal administrative stuff and a little common discipline. The basics are the simple stuff like:
These basics cover huge areas of common vulnerabilities which just happen to be first thing bad guys like try. I mean, nobody would start to pick a lock without trying the doorknob first. After the basics are handled, you'll have a better idea of where your threats are, and you'll be able to more deliberately deal with the things that can actually cause losses, and you'll be able to spend money on what you actually need instead of hemoraging cash on tools that waste your time.
So, yeah, these things aren't really very sexy, but they're very reliable at giving a great return on a very low-cost security investment. Ask anyone that's been married for a long time. Exciting can be fun. But reliable? Now that's sexy. If you're still single and you're questioning the truth in this, try it and stick with it. You'll get it.
If you're lucky.
"Full pardon, but I follow up the quest, despite of day and night and death and Hell."