Events during January show that organisations are continuing to fail in all areas of Information Security. We've seen the massive credit card data breach of Heartland in the States, the Royal Navy hit by malware here in the UK, the Monster jobs sites hacked (again). It's disheartening and it makes the security industry and the individuals within it appear impotent.The two big killers are complexity and the natural atrophy that sets in with every process. Networks are incredibly complex now: I can barely begin to describe the extent of the network of the organisation that I work for and there's certainly no real perimeter anymore. The systems running across the network are also complex and there are worryingly few individuals who really know how a lot of the technology works once you scrape away the user friendly interface.
The policies and processes in place to manage all that lot need constant attention and review. If there were some formula to measure the pace at which a process degrades, then the pace of change would be one of the variables along with the number of systems affected.
There is a third killer of security: apathy. Getting around that one when everyone else is tightening their budget belts, as plenty of us are finding out, is challenging. Clear communication and good reporting are the keys. Remind those with the budgets that we gain by not losing, and focus on a few important areas rather than spreading the security programme too thinly.
One positive thing from the recent incidents is that we can learn a lot from the misfortune of others. There but for the grace of some almighty and probably fictional (but I'm hedging my bets) deity go the rest of us...
