Powered by InformationWeek Business Technology Network
Topics:
Security
The Four (Non) Myths Of IT Security
Some of the reports and surveys security firm Symantec has provided over the years I've found both useful and informative. This most recent report, which hit today, isn't one of them. I’m still not quite sure what to make of the Symantec IT Risk Management Report Volume II that hit my inbox moments ago. But I know pure spin when I see it. Especially bad spin. While I haven’t had a chance to parse the 50-odd pages, the conclusions of the report are baffling. Even more so considering the findings are targeted toward CISOs, risk managers, as well as compliance and audit professionals. I think some of these professionals may find the report condescending, if not downright insulting. I’ll explain. The report highlights four myths that the security vendor says it dispels. While these may be "myths" believed by the layperson, or first-year IT professionals, they're certainly not "myths that need to be dispelled" in security circles. At least not by anyone who has ever tried to walk that careful balance between business need and risk mitigation in the real world. Now, on to the "myths": Myth One: IT risk is security risk. Because 78% of its respondents ranked availability as a “critical” or “serious” rating of IT risk, Symantec concludes that the "emergence" of a broader view of IT security is underfoot. Newsflash: Availability always has been a crucial part of the IT security equation, from defending against denial-of-service attacks that choke Web performance to e-mail worms that drag down communications. In fact, availability is part of the IT Security CIA triad: Confidentiality, Integrity, and Availability. Myth Two: IT risk management is a project. I've yet to hear any chief security officer, security analyst, or even firewall administrator refer to IT risk management as a "project." In nearly every business large enough to have a CIO, risk, compliance manager, IT security and regulatory compliance are treated as long-term programs, not one-off point projects. Myth Three: Technology alone mitigates IT risk. I dropped my ham and Swiss-cheese sandwich onto my desk when I read this rib-cracker. Again, I've not come across any CISO, chief risk officer, or industry analyst who thought -- let alone ever said -- that technology alone could mitigate IT risk. Most go by the adage that good security is about People, Process, and Technology -- in that order -- when it comes to mitigating risks. Myth Four: IT risk management is a science. "An emerging business discipline, not a science," is how this report describes IT risk management. Does this need to be stated? A simple example would be deciding whether a wireless LAN deployment creates more risk than business or productivity value. If the WLAN can be cost-effectively secured, a WLAN gets the green light. If not, or if the data residing on that network is too valuable to risk, the WLAN would be a no go. These types of decisions are rarely based on science. This report is a case of the survey respondents knowing exactly what they were saying. It's the interpretation that is bad. These were not myths to be dispelled; rather, they were the early lectures one would expect to hear in Security 101. Symantec should think more highly of its customers. « Where's Your Credit Card Data? | Main | Open Source 'Movement' Becoming A Gold Rush » |
| Sign up now for the weekly InformationWeek Blog Newsletter. |