Managers can be freakier than hackers

One thing that surfaced at the Vulnerabilty Summit was the possibility that - as bizarre as it sounds - corporate management was a bigger threat to security than the big, bad hackers of the world.
Written by John Taschek, Contributor

It was a frightening prospect, but eWEEK and security company Guardent (guardent.com) finally brought the hacking (that is, computer enthusiast) community together with vendors and users in one room. The intent of this meeting was to initiate work on a best practice for how security exploits should be released to computer vendors and the public.

We called this the Vulnerability Summit (vulnerabilitysummit.org), and given the highly entertaining and sometimes caustic nature of the responses to my earlier column on it (see www.eWEEK.com/links), it was high time for such an event.

I suppose things could have gotten ugly. Fortunately for all of us, everyone maintained a professional attitude, and though there was more than a full day's worth of lively discussion, everyone seemed to have the same goal - safer computing. The other reason war didn't break out was that none of the attendees showboated, and all maintained mutual respect for one another.

There are, unfortunately, obstacles to everything. One thing that surfaced at the summit was the possibility that - as bizarre as it sounds - corporate management was a bigger threat to security than the big, bad hackers (as in attackers) of the world.

The reasons are simple and appalling: Corporate management understands profits better than it understands the importance of a secure environment. Corporate management has always been preoccupied with risk management. The execs are always asking themselves how much damage their companies could sustain without drastically affecting the bottom line. The less cynical among us (Pollyannas!) call this the cost-benefit analysis.

In the past, this sliding scale of profit versus quality assurance may have been useful. But there are buffoons in every company, and they're the same ones who came to the conclusion that it was cheaper to settle lawsuits than it was to redesign the gas tank on the Ford Pinto to another location.

But we're now coming to the point where this buffoonery is impacting the safety of our industry. At the summit, I heard stories of how top financial institutions resisted installing known patches onto their firewalls, even though serious security holes - and their appropriate fixes - had been disclosed months before. Why? Managers believed that the cost of installing the fix outweighed its benefit.

It's the IT manager's job to alert management about security issues. But management might ignore the alert, especially if computer systems have to be downed, or - egad! - if the purchase of new software is involved.

In a way, I can't blame the buffoons for their thinking. We hear stories all the time about how simple hardware installations have downed Web sites, such as eTrade, for days. We see messages on supposedly 24-by-7 Web sites that say they'll be down for maintenance between 2 and 4 a.m.

These are big problems indeed. Yet they are nothing compared with the impact of not securing a network. There are whole new breeds of attacks out there. We only hear about a fraction of the exploits. The biggest and most dangerous attacks are hidden from the general public and corporate management.

Eventually, however, we'll see a rise in online organized crime - it's only natural - and much more dangerous attack methods. This could be disastrous for the company that places short-term profits over long-term security policies. It will be even more disastrous when lawyers convince Congress that companies should be liable for computer security negligence.

How does your management deal with security? Write me at john_taschek@ ziffdavis.com.

Editorial standards