Saturday, September 10, 2005

Dumb Ideas

The field of Information Technology (IT) security — part of my work for many years now — is notoriously full of uninformed "experts", snake-oil salesmen, useless (or even harmful) technology, and poor management. In my own experience, the majority of the effort and money poured into "IT security" is completely wasted — or worse, actually causes harm either directly or by diverting resources away from efforts that would actually increase security. For example, I've had bosses demand that we install an extra firewall, but refuse to spend 10% of that cost on educating employees about social engineering attacks. Really dumb.

Marcus Ranum (a well-known figure in the IT security world) has an article called the "Six Dumbest Ideas in Computer Security". It's an interesting and amusing read. My favorite:

#6) Action is Better Than Inaction

IT executives seem to break down into two categories: the "early adopters" and the "pause and thinkers." Over the course of my career, I've noticed that dramatically fewer of the "early adopters" build successful, secure, mission-critical systems. This is because they somehow believe that "Action is Better Than Inaction" - i.e.: if there's a new whizzbang, it's better to install it right now than to wait, think about it, watch what happens to the other early adopters, and then deploy the technology once it's fully sorted-out and has had its first generation of experienced users. I know one senior IT executive - one of the "pause and thinkers" whose plan for doing a wireless roll-out for their corporate network was "wait 2 years and hire a guy who did a successful wireless deployment for a company larger than us." Not only will the technology be more sorted-out by then, it'll be much, much cheaper. What an utterly brilliant strategy!

There's an important corollary to the "Action is Better Than Inaction" dumb idea, and it's that: "It is often easier to not do something dumb than it is to do something smart."Sun Tzu didn't really write that in "The Art of War" but if you tell IT executives that he did, they'll take you much more seriously when you counsel a judicious, thoughtful approach to fielding some new whizzbang. To many of my clients, I have been counselling, "hold off on outsourcing your security for a year or two and then get recommendations and opinions from the bloody, battered survivors - if there are any."

Thanks to Bruce Schneier (who doesn't always agree with Marcus) for the pointer...

No comments:

Post a Comment