Recently President Obama warned city mayors not to waste money coming from the newly passed stimulus bill. He warned that that mayors getting caught will be called out. I say we should adopt this stance in regards to spending in general and specifically on spending for information/computer security.
There are hundreds of reports, interviews, blogs, etc. that constantly advise anyone and everyone that security is critical to our infrastructure, privacy, business success, and so on. Yet security incidents continue to happen. Let me also state a well-accepted tenet: there are some very smart hackers out there that no realistic security budget will be able to defend against all the time. But many incidents occur because a system was not configured correctly (even though procedures are available); an administrator turns malicious; patching does not occur in time; staff members (IT and end users) are not adequately trained, etc.
What I am advocating, similar to the President’s message (warning), is a method of calling out organizations when an incident occurs that can be directly related to some issue other than the “smart hacker.”
Basically my idea is to publicly (or at least to shareholders) demand to know how a security incident happens. What was the underlying cause for the breach. Why was this allowed to happen. How did it happen? Were users not adequately trained? Were readily available security configurations applied? Are all current security patches installed and operational?
The answer will commonly be the lack of funds and to some degree this is acceptable. The fact is that if there is no money in the budget there is no money – period. And it is true that some security devices, not to mention consulting, can be rather expensive. I am also referring to reasonable security requests/initiatives as I am not in favor of just giving security departments a blank check which we all know is unrealistic. But after an incident has happened and the press/public/government (take your pick) are eager to know what exactly happened then someone should be able to tell them. If a security budgets were inappropriately used or cut below levels that provide a solid security baseline posture, then let’s call these practices out. Let customers know why this happened and what, if any, internal measures were taken to hopefully reduce the chances of this happening in the future.