With so much news right now regarding security, laws, and breaches, my security discussions have increased. Maybe “discussions” isn’t the correct word because although I want to talk about it they just want to state. They want to state what they have heard but don’t really want to talk about any of it. This worries me because if you are not having the discussion, then you may be putting your security at risk. Now you may be thinking that they may not be talking to me because this is security and part of being secure is being secretive, but that is not the case here.
For those that have chosen to answer the question, “why did you make that decision”, most answers are “I am not sure”… seriously?… You aren’t sure? How can that be? This is your job right? And yet you can’t tell me why you chose that product? Reminds me of the arguments I get in with TSA agents regarding the two bag limit for carry-ons. First off, females are always down one bag because most of us carry a purse. Second, if you are going to ask me to consolidate, you must realize that when I get past security, I just unconsolidate. I have not reduced space at all. I still have not received a single explanation for this rule . No one knows the problem that TSA is trying to solve. I digress… the fact is if you don’t know what you are fighting or what you are fighting for, the battle becomes harder. If you don’t know why you picked that product or implemented that solution, you certainly can’t fight your battle correctly.
If you react and only make claims based on what you see on the t.v., read on the web, or read in the papers, you aren’t getting the whole truth and you more then likely are not making the correct decision. If you pull out one solution and implement another one, this does not mean you are any safer. This isn’t how security works. Security requires you to spend time thinking about the known and unknown problems and the best ways to tackle them. It means picking the product, software, education, configuration and policy changes that solves the known and unknown problems. It means being proactive and not reactive. Ripping out one vendor for another vendor or changing the technology all together will not make you secure. If anything, you may be putting your security at risk. There isn’t one product that will solve everything, there isn’t one answer. It is a journey and a discovery and you need to put time in to it. Security is not solved or fixed with a flick of a switch. There are layers to it. I understand that it is difficult and the unknown is scary and there are no guarantees but if you don’t know why you made the decision, you will never be secure. You need to stop putting your security at risk.
#1 by Glory on April 16, 2013 - 11:23
Its like you read my mind! You appear to know a lot about this, like
you wrote the book in it or something. I think that you can do with
some pics to drive the message home a bit, but other than that,
this is fantastic blog. An excellent read. I will certainly
be back.
#2 by erinkbanks on April 22, 2013 - 11:06
Thank you! I appreciate the kind words. I can’t wait to hear more from you