I'm an engineer at heart with a dose of raw geek thrown in, so subjecting me to a roomful of marketers is akin to unleashing a Tasmanian devil in a china shop. During vendor meetings, they strap me into my chair as I try to avoid all the infosec chaff flying at my head. Inevitably, I find myself wondering, why do marketers love fear-mongering tactics? I mean, IT managers and CxOs already understand the value of strong security practices, right?
Wrong. Apparently, the message isn't hitting home. Even with the constant barrage of security talk spewed by media and marketers, IT managers can't get upper management to do anything about security. I believe this is due in part to a "see no evil, hear no evil" philosophy, but the fact that security still flies under the radar scope baffles me.
Consider some fourth-quarter happenings: Microsoft confirmed a remote intrusion complete with source-code theft. The University of Washington's medical center confirmed 5,000 patient records were lifted from its cardio unit. And Egghead.com (an organization that keeps an estimated 3.7 million credit cards on file) suffered a remote compromise. Companies are getting hit left and right, yet when it comes to spending money on security, IT must fight tooth and nail.
I'm just now starting to understand why fear-mongering is so popular: Corporate executives are practically begging for it. For those who face the managerial stance "we aren't Microsoft or Egghead -- we aren't a target," I have a story for you. Last year, we were performing a routine security assessment for a small organization. This organization has fewer than a hundred servers and does nothing involving credit cards or national security. Only eight hours into the project we realized something was awry. We found signs of intruders on not just one but many machines. Port scans on internal machines turned up strange services, and we even discovered Back Orifice. It quickly became obvious that not only had the network been severely compromised, but the intruders were in for the long haul.
If that doesn't scare you, this should. The folks at that small organization now face four options: Investigate every file on their systems and attempt to identify all possible Trojans, which translates into months of difficult work. Rebuild every machine from scratch and change every password on the entire network. Permanently disconnect from the Internet, eliminate dial-up access and hope the intruders weren't internal. Or continue operations and pray the problems and potential time bombs won't resurface.
How much will it cost them to clean up this mess? A lot more than it would have cost to apply patches and institute an information-security program. Here's my question for all oblivious CIOs: While ignoring the pleas of your IT department for security funding, have you ever considered how much it'll cost if your site isn't secured properly?
In my effort to embrace the dark side of the force, I'm starting a marketing campaign titled The SIIYF (Shove IT in Your Face, pronounced "siff") Project. I'll monitor the world's largest credit-card thefts, embarrassing defacements and whatnot, and I'll keep track of the cost to clean up the smaller nightmares. If the higher-ups understand anything, it's the bottom line. And each day, potential dollar losses grow larger. Meantime, send me your horror stories -- I'll read them the next time I'm strapped into a chair.
Greg Shipley is a Chicago-based security consultant. Send your comments on this column to him at gshipley@neohapsis.com.
RSS
