Security's Everyman

Security's Everyman

Friday, December 22, 2006

Thinking Differently in 2007

I've read a couple of posts (one from Ross Brown of Technobabylon and one from Andrew Hickey of that has spurred my thoughts on 2007. We all know that the bad guys are getting better and the good guys usually play catchup. Most small companies, and many larger ones don't have the financial or manpower resources to adequately test their network for functionality much less for security weaknesses. At least beyond the "obvious" weaknesses. Keeping up with everything that needs to be done can be daunting no matter the size of your organization or network.

If we are to make 2007 and forward successful from a security and networking standpoint we have to change our thinking. We have to take steps, big or small, to change how we view things and therefore how we design, build, maintain and protect our networks and data. We can't continue to do things as we've always done them. Maintaining the status quo may make you feel good and often look good on the books or to Senior Management, but that doesn't mean that it is what's best for the company.

Ross talks about being creative in our thinking as we assess our security. Some of his suggestions are good, but some are not achievable by many small companies with limited resources. At least not without putting more work on an already overworked staff. Yet, that IT staff isn't left out in the cold either. They just need to take a few minutes and think about how they currently do things and what small thing can they change that will either save them time or allow them to see their security from a different perspective. Those small changes may be just what is needed to prevent a problem. At the very least if they are well thought out they will work together over time to make you more secure.

We also have to look at why we are doing what we are doing. It's easy to not rock the boat, but sometimes the boat needs rocking. We're in the process of building a new network at work. Our CIO wanted to put in a Frame Relay network and build it just like every other network he has ever built. Why? Not because it was necessarily the best option but because it is what he knows. It has worked in the past and he is comfortable with it. When I mentioned other options he gave me the opportunity to build my case and convince him why something else would better suit our needs. As we have been talking with various vendors and looking at different options we could have continued to stick with the "tried and true" or followed the advice of the vendor on how to "best" build this portion of our network. Doing so would have been easy, but not necessarily the best option for our business. Many things that were suggested were overkill for our environment or they would not have given us the needed flexibility for future implementations that are planned. We had to think differently than we did in the past to make these decisions.

I know you are thinking this is common sense and you are right. Who, in their right mind, blindly follows their vendors recommendations? Who continues to do things "because that's the way we've always done it." Many, many people and companies do just that. That is the problem. That is why companies continue to struggle with security. They either over do it or don't have the infrastructure to support what they need so the do without.

One quick story and then I'll stop. I have a friend who works for a company that uses Symantec AV. He tried to talk his boss into switching to another vendor but his boss said, "Why change? I've used Symantec for years and never had any problems" Now for the second time in a year he is having to patch major holes in all of his Symantec clients. A change in thinking could have prevented this unnecessary extra work and left them safer in the long run.

So as you move into 2007 think about how you think about your job. Look at how you do things and come up with different ways to "shake things up". Obviously don't do anything different without testing it and getting proper approval, but most importantly don't stay stagnant in your thinking. Even if you aren't able to implement some of your ideas they will make you a better security practitioner or network guru just because you stretched your mind.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.