BUSINESS AND TECHNICAL

Recently I was lucky enough to get to go to an IT security conference, and while there I was able to listen to some seriously bright people speak. But while I was there I noticed three reoccurring and alarming -at least for me- trends coming through from the people speaking.

Number 1 - Mind the Gap
There was lots of talk about bridging the gap between the IT department and the business. The idea was that a CIO or Technical Manager must be able to explain the IT issues to the CEO in such a way that the CEO can understand it. I have a problem with this. One of the fundamentals of any logical discussion is a concept called "Burden-of-Proof", simply put it means that each party must give supporting evidence for their respective viewpoint. If I apply this to the CEO and CIO example, the CIO seems to be doing all the "proving". Now I do agree that the CIO should learn some business-speak, but the CEO -and the rest of the board- should learn some IT-speak as well. There should be effort put in from both sides. Why should the CEO bother? Simple, they are responsible for the company after all. Business needs to take responsibility for the business goal choices, while the technical crowd take the responsibility for realizing these goals.

Number 2 - Accepting the Holes
I also heard lots of talking about how we could only achieve 80% security in our companies. Again I have a problem with this. I am aware that there is no silver bullet for IT security and that each component can only be so effective, but who says you should only put that one component in? If your anti-virus software does not detect spyware, do not just shrug your shoulders. Install an anti-spyware program. This "80% coverage is acceptable" mindset is an unfortunate influence from traditional business, which is applied to IT security. When you place a advert in a paper, you do not expect 100% response, in fact 80% is a very good response. It is here that traditional business people learn this mindset. But it does not work in IT security. Imagine this, an outsource company comes to you and says "Hire us, we can make your network 80% secure" Will you hire them? I sure wouldn't. Business needs to understand the damage that even one incident can cause, then any reasonable person will want to aim for 100%. Don't take stupid risks, an attacker looks for any hole. Your IT security person needs to cover all your security holes, an attacker only needs to find one.

Number 3 - Who needs Geeks?
The last trend is just as disturbing, I heard a lot of disparaging remarks about the "geeks in the basement", those "strange IT guys", even "those guys with no suntan". The same people who make these remarks say that the "geeks" time has passed and that they are outdated. As you might guess, I have a problem with that. It never ceases to amaze me that people insult the people they need to keep their businesses running and secure. I agree that if all you employ are "geeks" you will struggle to relate to them or to align your business goals with IT. But if you have no technical people, you will suffer. The single biggest reason I can say this is simply due to the technical expertise of the hacker themselves. You can only protect against what you know after all. If you do not have access to the good-guy counterpart of these people, then you are up that famous creek without the much needed paddle.

You see whether or not people like it, those of us who practice IT security are doing it for the good of society as a whole. If you are in charge of a banks database, and someone hacks in and steals information, then not only is the bank impacted but also every single person whose information was stolen. We cannot afford to fool ourselves into thinking that our responsibility is limited to the company we work for, to quote Dennis Longley of Queensland, Australia;
"Information security is to protect society, not to provide an alibi to senior management"