Devil's Advocate: Security - it's so simple

Are you on top of it?
Written by Martin Brampton, Contributor

Are you on top of it?

It's a subject near the top of every CEOs' lists for 2002, not just CIOs'. This week, Martin Brampton, director at consultancy Black Sheep, demystifies security. Security keeps hitting the headlines. If it isn't the latest virus or hacker attack, then it's scare stories about the recklessness of managers who cut back on security spending. What is it that makes this problem so intractable? One issue is that people rather like a certain amount of risk. Many go rock climbing and motor racing knowing these are risky pursuits. To be more precise, it is largely men that engage in these activities but then management remains dominated by men. In most cases, we are rather poor at gauging levels of risk but an element of danger is often welcomed. So the efforts of vendors to frighten managers into action may well backfire. In fact the estimation of risk poses problems for IT security. We can find out exactly how risky it is to go rock climbing. Or, perhaps you need to know that horse riding is slightly more risky than motorcycle racing. But when it comes to the threat posed by hackers, it is extremely difficult to derive any figures for either the magnitude of the threat or its likelihood. Typical approaches to risk management are inapplicable to risks that cannot be quantified. Suppose we do wake people up to the security threats facing IT? Their immediate response is likely to be despair at the difficulty of taking action. Systems have grown up like children who are brought up at home and have never faced the risks of the outside world. Until recently, neither bespoke systems or standard off-the-shelf packages have had security as their top priority. Viruses continue to cause substantial damage. They are only able to function because computer systems have so many potentially damaging functions that can be invoked without the slightest check on the authenticity of the requestor. Delete the file system? By all means! Software has all too readily assumed that requests come only from an authorised source. In a networked world, this may well not be the case. Because security has not been built in from the start, we are left with solutions that are really only patches. Take firewalls for instance. They are an ingenious use of technology and provide useful functions at present but the weakness of solutions based on barriers quickly becomes apparent. Extreme flexibility is needed from contemporary systems and neat boundaries are rapidly dissolving as work becomes increasingly mobile and organisations become more fluid. And how often are laptop computers simply carried past corporate firewalls to be plugged into the network wholly unchecked? The old adage applies: the best is the enemy of the good. This is especially true of IT security implementations, where absolute security is unattainable. Aiming for comprehensively good security is the practical goal that ought to be under consideration. Achieving good standards may turn out to be easier than we thought. Disregarding denial of service attacks, which are best tackled through concerted action by ISPs, the greatest security problem is simply the inadequate configuration of features that already exist. Unfortunately, much of the impetus to greater security comes from technology vendors and they have only a secondary interest in persuading people to use existing capabilities. Yet a constant awareness that security is simply good practice is enough to ensure that software is configured to be relatively secure. Then, should we always think of the deployment of security technology in relation to perceived risk? I was greatly heartened to find a major UK organisation that refused to buy into security simply from fear. It insisted a new security solution was deployed only if it enabled something to be done better and cheaper, as well as securely. Of course, we need to grow up and realise that a world where information flies almost freely through shared networks is full of unexpected dangers. That should be a guiding principle but we don't need to be paranoid, we don't need to make decisions about security in isolation from reaching out for our more positive goals. Do you agree with Martin's assessment? Post a Reader Comment below or mail editorial@silicon.com with your thoughts. ** Martin Brampton is a director and founder of Black Sheep Research (http://www.black-sheep-research.co.uk ), an independent consultancy providing research, writing and speaking services on a wide range of business and technology subjects. Martin was previously a director at Bloor Research, and has worked with IT as a user and analyst for over 20 years. He is a frequent contributor to silicon.com's Behind the Headlines TV programme and can be contacted at silicon@black-sheep-research.co.uk.
Editorial standards