I admit that I’ve been guilty in the past of making flippant remarks such as “we’re not a bank so don’t need Fort Knox security” and other such excuses for not doing things as securely as I might want to in an ideal world. Comments like this don’t help in the slightest and lead others to presume that security isn’t such an important consideration.
Conversely, we need to be pragmatic and seen to be complementary to business strategy. It’s a tough trade off and one I’ve never been particularly comfortable making. An example of the sort of thing I mean is granting developers local administrative rights on their desktops. The reason being that there is a perceived requirement for them to be able to operate as administrators in order to perform their development tasks. However, I actually think that these are, in many instances, the very individuals we need to be more carefully managing. By opening up access I’m seen as being pragmatic and enabling, whilst in reality I’m grinding my teeth and wondering if we can’t segregate them from the rest of the building – preferably with barbed wire and a very high wall.
And, as we all really know, developers always insist on asking for more than what they really need. For instance, one such individual recently insisted to me they needed a copy of a live database to test against….on a laptop….
Back to the point which is that, while we’re not Fort Knox, we are a profit making business with a good reputation, and servers stuffed full of data that our customers would expect us to protect. So, it’s time to quit making the flippant remarks and for everybody to start taking security seriously. If that means upsetting one or two people who see security as being a block to their work then quite frankly I’d rather be seen as being over-cautious and diligent in my work than negligent.