When Good Security Goes Bad

It's safe to say that MasterCard, through its transaction processing partner, did not intentionally compromise the account information of millions of card holders. As one of the largest credit card associations in the world, MasterCard's whole business is based on trust, and it been one of the leaders in network transaction security since the earliest days of the Secure Electronic Transactions (SET) initiative a decade ago.

Yet, intentions are not enough when good security goes bad. "I think most organizations go into security with good intentions." says Peter Stapleton, director of Computer Associates eTrust Security Management. "But if you look at organizations like MasterCard and LexisNexis, the predominant failure in all of them has not been technology. It's been a business failure."

Indeed, technology can only get you so far, and that's the problem. Locking everything down with intrusion protection systems and firewalls is all well and good, but that, Stapleton says, is not real security. And things go bad when you think that it is. "The truth is that really good security just isn't that sexy," he says. "Good security is administration. It's in how you manage the technology and in how you manage the organization."

The heart of the problem is what Stapleton calls the "tool mentality." Technologists, he says, typically think that, if there's a problem, then there's a tool to fix it. There's nothing wrong with finding the right tool for the job and IT departments could not do what they do to keep businesses running without them. The danger is when the tool becomes identified as the solution.

"Organizations will buy really good tools, but they won't necessarily have the overall business process framework to operate them in." Stapleton says. They don't have the day-to day management review and monitoring to get the most out of their technology investment."