My beliefs about security

I’m a big fan of Tom Peters. Right – the Tom Peters who wrote In Search of Excellence and The Brand You. When Tom turned 60, he packaged up a list of 60 things he believes in in a book called Sixty. Many of the things are simple but frequently forgotten. It’s useful to go back through these ideas every so often to remind ourselves what we should be focusing on. Because you are still getting a feel for this column, I thought I would discuss things I believe about security.

I’m a big fan of Tom Peters. Right – the Tom Peters who wrote In Search of Excellence and The Brand You. When Tom turned 60, he packaged up a list of 60 things he believes in in a book called Sixty. Many of the things are simple but frequently forgotten. It’s useful to go back through these ideas every so often to remind ourselves what we should be focusing on.

Because you are still getting a feel for this column, I thought I would discuss things I believe about security.

Security is too complicated. We as security and network professionals pride ourselves on how we mask complexity for our users. That’s the wrong goal. We should be eliminating complexity. There are too many boxes, too many niche products and too many activities that step all over each other. It’s hard to believe, but by looking at security pragmatically and simplifying our security infrastructures, we can make technology easier to use and more secure.

Big is the new small. For a long time, small start-ups ruled the roost. It was cool to buy innovative technology, even if it required a totally different management hierarchy. Most folks I talk to are tired of this. They want an architecture-based solution from a stable vendor. They want innovation, but they want it to fit into their existing security infrastructure. They want to stop integrating disparate security technologies. All other things being equal, they want big.

Compliance is good for you. I know I’m out on a limb here. But if you look back six or seven years, before the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act, security was a mess and there was no standardization. You couldn’t tell your boss if your security was good or bad. Regulation changed this. It made us think about simple blocking and tackling. It made us document what we were doing. And ultimately it made someone accountable for protecting sensitive information. The topper has been security funding that wasn’t available before.

We don’t teach; we fix. If we spent half as much time teaching our clients what not to do as we spend cleaning up after them when they mess up, we’d all be better off. So maybe you require new employees to read the acceptable use policy and sign it. But have you taught them how to recognize a phishing message? Or how to detect a spyware site? Or made it clear that they should not be using their iPods on corporate machines? User education is a gaping hole in everything we do, and we need to fix it.

Security is a feature. The fact that there is a business for stand-alone security technology means the providers of network, data center and application technologies are not getting the job done. Security should be baked into everything we do. Yes, this is optimistic, and getting there will take a long, long time (at least 10 years). But if you look at the major players in security, there are only a handful that focus on security. The others control – you guessed it – the networks, data centers and applications.

So there you have it. I cannot cover the entirety of what I believe in one column, but it’s a start.