I read this from Bruce Schneier and it wasn't the article he referenced that got me to thinking it was this comment.
The real issue here is that people don't understand that an airport is a complex system and that securing it means more than passenger screening.This comment holds true for Information Security as well. The issue is that a network is a complex environment that involves many different systems, applications, connections and users. Securing it means more than traffic screening at one level.
I was speaking with someone the other day and she commented that we didn't need to worry about security on her project because nothing was internet facing. That statement might have held some truth in it a few years ago but not today. The average user doesn't realize all of the attack vectors into a system. They think that if you secure the perimeter or stay off of it then you are safe by default. Unfortunately there are still some IT professionals who feel the same way.
At my company we are in the middle of rolling out a change control system. We have had a policy and manual process for years but it was always just a formality. Someone would request to make this change at this time and it was approved. The focus was to keep 4 groups from making major changes at the same time in case something went wrong. Now we are starting to make the requestors justify their request and give full documentation as to who, what, where, when, why and how. Most of the users do not like this. They whine and complain constantly. Luckily we have someone in control of the process that sticks to his guns and hold them accountable.
This is the same mentality that we need in all of IT/IS. We need to ensure that our users understand the where and why of security. That way they will understand that security belongs everywhere in the network and not just at the border.
