Wednesday, July 11, 2012
In my posting How Hacker Targets Become Victims on the InfusionPoints blog site, I implied a little secret about the information security industry regarding the tools that we've come to believe are absolutely necessary. They are not as effective as you typically think they are. In fact, many are slowly sucking us dry without providing much valued in return.
I recently registered for a website hosted by a government agency that handles some of the most sensitive personal information available within U.S. Government. While the site is only a simple scheduling system, imagine my dismay when I received an email confirming my registration that included both my username in password in the email body. That email demonstrates that, despite all of the reported attention to security over the past several years, especially within the Federal Government, we are failing to build an effective information security culture.
Imagine that each of us would need a tank to safely drive on the road. We would be well protected from any obstacles that could come our way, but at the expense of speed, agility, and cost. We could also blow each other up, forcing us to buy bigger and better tanks all of the time to retain a consistent state of security. That's the kind of environment that companies face when using the Internet. Rather than being able to invest in economical transport, each has to regularly procure stronger individual protection to defend themselves. What went wrong?
I'm not a professional blogger and this isn't a forum for absolute facts. Instead, I mean for this blog to present an unfiltered view of my IT philosophy and how it has and continues to evolve over time. Why me and why now? This blog isn't some egocentric examination of self or a venue to simply expel all of my thoughts on the world (at least I don't really intend for it to be). Rather, I think that the industry takes itself way too seriously when it comes to its mission to improve business and there are too few voices out there willing to really conduct a detailed and extended analysis of whether technology really helps. Journalists are beginning to get it but few truly get IT and information security in an intelligent way. Beyond that, I've found that there is way too much FUD (Fear, Uncertainty, and Doubt) that drives IT decision making. I hope that I can help folks in some small way to make better decisions about their IT and security procurements.