I try to talk to lots of people who are in IT and especially in Security. I like to get a feel for what is going on in various organizations with respect to security. I'm curious about who has a grasp on what security really is and who has no clue. I've discovered that there are lots of companies who really have a very limited view of security and who only practice basic security. They do just enough to get by and make the auditors happy. As we all know security is not achieved by being compliant.
I'm often surprised at what companies allow to happen on their networks.
- Leaving access points open or with minimal security
- Allowing any consultant, auditor, or "friend" to connect to the network
- Opening ports in the firewall because the "need" this application.
- No Acceptable Use Policy for computer and network access
- Allowing administrator access to local systems
- No hard drive encryption
- Etc, etc, etc,.....
I've also discovered that many Security Professionals who work in these organizations are really frustrated. They work hard to keep things safe only to have Management subvert the process because it makes things easier. I've been there myself.
As I talk to people at all levels of IT management and in the field I realize that many people don't think about security being a key issue in IT. They assume that if they are behind a firewall and have AV installed then they will be OK. They don't realize that this is not 1998 any more. It often shocks me because I assume that everyone who is in IT thinks security. Even before I started focusing on security in my career I just naturally took security into consideration when doing my networking duties. I thought it was just how things were done. Then I remember the stories I read, the people I talk to and the things that I've seen and am reminded that many people don't realize that security needs to be a natural part of IT. Basic security is often ignored and when it isn't it is often just enough. Just enough is never enough.
That is why I think that those of us in Security have to keep fighting hard to keep us safe, all the while preaching and teaching real security to all that will listen to or read what we have to say. We have to argue our point with management and give them hard facts as to why what we have to say is worth listening to.