Practical security is difficult, period! Point security is not but read on.. I know, this study was about network and systems security but as long as those are seen anything special, standalone and distinct of any other security, there will be problems no IT manager or administrator can solve. Yes, any area in security needs a specialist to implement but that is not the main problem - the main problem is something like having a front-door lock specialist to secure the front entrance and forget the backdoor security just because you don't usually use it and anyway it has a latch, which someone "forgets" to close some day - sooner or late and for whatever reason.

So, I wouldn't blame the network / system managers and administrator so much, they can only try to do their work under (often very) heavy workload, often making processes and procedures in flight. This because the company doesn't have any guidelines, checklists, etc, or even goals for security. So, when a thief comes through backdoor or from inside they can prevent the escape through front but not through back. Of course the door security gets blamed but they may not have even known the backdoor or maybe weren't authorized to secure it, be it Cxx laptop, PAD, RIM, wastebasket, or just an open door to premises.

In some small companies you might (a big if!) be able to control the users. In any large, especially international, company there is no way to control every user in network or even in company itself. Yes, common sense by users helps but can't be taken grated and should not be taken granted!

This is not new, just amazes me every time it comes up. Working in world wide insurance, manufacturing, banking, stock, oil, air and even more localized army and government security shows very fast that network and systems security is an important part but not anything special in security and if all parts are not working together the security will fail, often just in most inconvenience time and with high cost - whatever the cost will be, not always money.

The complain of cost is a bogus! Yes, security has a price but being without one usually costs more and it is just a business fact. Companies can take risks but often forget to add the cost of failure to the risk. And concentrating the security efforts to the front-door is going to fail (not if but when) no matter how skilled the people (and guards) securing the door are!

Click to read the article this is in response to.