I enjoy reading InformationWeek because it gives me a chance to keep in touch with broader IT trends, and the content is usually solid. The cover story for last week's issue was End Users: Ignore Them At Your Peril (sorry about the odd link; the original is here but requires registration). I started reading the article by Michael Healey of Yeoman Technology Group, but quickly realized Mr Healey is clearly out of touch with the reality of the modern security environment. He writes:
Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky...
Are we really less secure than we were 10 years ago? Probably not. Much like watching cable news will make you think the world is burning and people are coming to snatch your kids, today's level of security awareness has altered the psyche of IT.
This new awareness is coupled with very real regulatory requirements, such as new Massachusetts privacy laws that require tougher disclosure when there's a security breach or problem.
It's no wonder the security folks are so jumpy. But they're missing the message that CIOs need to hear: Security is working. It's been more than a decade (yes, 10 years) since any particular security flaw has had a truly widespread impact. The Melissa and the ILoveYou attacks were the last.
We're not proposing you drop your guard. Security is a good reason to stop a project that's too risky. But if you've built an effective IT security model that combines base protection, active monitoring, and proactive management, and you stay tied into the overall industry, your chances of a major failure are slim.
Congratulate your security team for once and see if they can start moving out of their foxholes and figure out how to add some new devices and capabilities.
Feel free to stop laughing now, if you can. Clearly the last time Mr Healey paid attention to anything involving security was a decade ago, if all he can cite are "Melissa and the ILoveYou attacks." It sounds like he's the one in the foxhole, supposedly safe while the world around him continues to be in turmoil.
There's so many ways to refute his point of view, but let me close with a really simple idea. Security is simultaneously global and local. Failures can occur at either level. Many organizations care more about the local than the global because local failures are more likely to impact them directly. They tend to care about the global only when it affects the local. In other words, even if no global security failure takes place (like a worm affecting the whole Internet), local security issues will still occupy a lot of security time and resources. The inability to point to a global failure (even correcting for ignorance) says nothing about local security problems.