Rethinking Security

1:52 PM -- In a business supply store recently, I was struck by a small framed picture offered for sale on one of the shelves. The picture showed a medieval knight sitting down, helmet off and head bent, with dents and burns all over his armor.

"Some days," the legend read, "the dragon wins."

This week, it seems, security pros had a lot of days like that. Whether it was untrainable users, devious attackers, or outspoken critics, it seemed like everybody else was winning. And you can't help but wonder if it isn't time for some new thinking.

The dragon's first blow was the publication of a six-month study commissioned by Cisco, which seems to prove what many of us have suspected for years: that users actually do understand company security policy, but they ignore it anyway. (See Remote Workers Still Living Dangerously, Cisco Study Says.)

The thrust of the report is that end users are so driven to make better use of their time that they throw a great deal of security protocol out the window. They use work computers for personal tasks, share them with friends and family, and piggyback on their neighbors' WiFi connections. So what, you may well ask, was the use of all that security training?

Meanwhile, the bad guys just seem to get badder. While most security departments are still struggling to deal with the effects of Storm, researchers have discovered a new botnet, MayDay, which appears to be even more powerful and difficult to detect. MayDay is not nearly as large as Storm, but it could potentially do more damage due to its more sophisticated and targeted approach. So even if Storm is calmed, the bad guys still have a leg up. (See MayDay! Sneakier, More Powerful Botnet on the Loose.)

And as if recalcitrant end users and innovative attackers weren't enough, some critics have begun to question whether IT security organizations really know what they're doing. A Deloitte & Touche study released this week says that 46 percent of high-tech firms -- the ones that should be most prepared -- don't even have a security program in place. (See High-Tech Firms Fall Short on Security.)

Verizon security executive Peter Tippett, who also is chief scientist at ICSA Labs and the inventor of the first commercial antivirus program, took it one step further. Tippett says that about a third of the processes currently employed by IT security pros are a complete waste of time. (See Antivirus Inventor: Security Departments Are Wasting Their Time.)

Tippett's assertions aren't crazy. In a nutshell, he's basically suggesting that security people put a ton of work into processes that make their organizations only marginally more secure, while ignoring other processes (and some products) that could have a much greater impact on the number of security incidents they experience.

While you could argue some of Tippett's specific examples, his premise is unassailable: Security pros need to do some rethinking about their strategies. Security efforts must be matched to risks, and ineffective security processes should be scrapped or reconsidered. With all the dragons out there, today's security knight can't afford to sit still.

— Tim Wilson, Site Editor, Dark Reading