Skip Links

The 5 biggest IT security mistakes

IT security can be a thankless task no doubt and mistakes only magnify problems

By , Network World
July 25, 2011 11:29 AM ET

Network World - Like cleaning the windows, IT security can be a thankless task because they only notice when you don't do it. But to get the job done in the era of virtualization, smartphones and cloud computing, you've got to avoid technical and political mistakes. In particular, here are five security mistakes to avoid:

1. Thinking that the business mindset of the organization is the same as five years ago.

It's not. Your power and influence are being whittled away as the organization you work for flings open the doors to allowing employees to use personal mobile devices at work, and pushes traditional computing resources and applications into the cloud -- sometimes without your knowledge. You have to be proactive in introducing reasonable security practices onto what are fast-moving technology choices which are sometimes made by those outside the IT department altogether. It's a "mission-impossible" assignment, but it's yours. It may involve developing new policy guidance to clearly spell out risk factors so there are no false assumptions.

VIRTUALIZATION SECURITY: Shift to virtualized environments shaking up security practices

2. Failing to build working relationships with IT and upper-level managers.

IT security divisions are typically small in relation to the rest of the IT department. IT security leans on IT staffers to get basic security jobs done. The security professional may have specialized knowledge and a pocketful of certifications like the CISSP, but that doesn't mean he or she is necessarily admired or liked because of that -- especially as security people are usually the ones saying "no" to other people's projects. 

Moreover, don't think the power structure is always pointing toward the chief information officer as top decision maker. A fundamental shift is occurring in which the traditional role of the CIO as commander of IT projects is declining in favor of the rise of the chief financial officer having the final say on IT projects. Some evidence shows the CFO doesn't even like the IT department. The CFO's ideas about security may only go as far as the general legal idea of "compliance." The job for the security professional must be to communicate, communicate, communicate.

3. Not understanding that virtualization has pulled the rug out from under everyone's security footing.

Organizations are well on their way to achieving 80% virtualization of their server infrastructure, and desktop virtualization projects are increasing. But security is lagging, with many incorrectly assuming it begins and ends with VLANs. The reality is that virtualization architectures change everything by opening new pathways that can be exploited. As has happened so many times before in the IT industry, groundbreaking technologies have become available for use with inadequate attention paid to the security impact. 

Some traditional security products, such as anti-virus software for instance, often don't work well in virtual machines. Physical appliances may have new "blind spots." Today, specialized security products for virtualized environments are finally coming to market -- and security professionals need to figure out if any of them should be used, while also keeping up with evolving security plans from vendors such as VMware, Microsoft and Citrix. Virtualization holds tremendous promise in eventually improving security, especially disaster recovery.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News