Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

6 hard truths security pros must learn to live with

Roger A. Grimes | April 29, 2015
Caveat emptor: Security solutions will always fall short in addressing the fundamental flaws of securing IT systems.

Frustrated man with head on computer

Nearly every company in the world has thousands of vulnerabilities that hackers can easily exploit. For anyone working in IT, this is not a bombshell announcement. It's business as usual.

The reality is that IT invulnerability is impossible at any price point. Instead, companies spend a major portion of their IT budgets on computer security defenses to prevent hackers from taking advantage of those same everyday vulnerabilities. The theory is simple: With enough layers of security, the bad guys will look elsewhere for easier targets.

It's a dirty little secret in the industry that no computer security solution really works as well as advertised. Every "guaranteed-to-stop, advanced-security system" is doomed to failure. The promised goal shared by vendors and IT alike is nothing but a pipe dream. Our best effort is all we can do.

The following six hard truths of IT security show not only why today's security solutions fall short but how we, as IT pros and an industry, can mitigate at least some of the inevitable fallout of imperfect security solutions.

Imperfect distribution of defenses
It's hard to lay down an infallible defense when you can't put your software on every device in your environment. Security solutions, by necessity, work on only a subset of platforms and versions, and this subset is always less than what the customer has. Some solutions don't support legacy devices and operating systems. Others fail to keep up with the latest OS and devices.

If one thing can be said about today's complex BYOD world, it's that the job of securing the network went from tough to impossible. Forget that security vendors don't support every platform. The base truth is that no one, not even IT, understands all the devices that are used to connect to your network. Is that a phone, slate, tablet, or subnotebook device? Does it run Windows, Linux, OS X, or a private OS no one on staff has ever heard of? Is it a physical or virtual asset? If it's a virtual machine, will it exist tomorrow? Is it running on a corporate host or on someone's portable device? Does it belong to us or a contractor?

Even for supported devices and platforms, device discovery and deployment are imperfect. You never get 100 percent of the devices scoped by your security solution, thanks to a myriad of issues, including network or site connectivity issues, blocked firewalls, offline assets, corrupted registries or local databases, separate security domains, and OS version changes.

Add to that the political and managerial roadblocks in what is often called the eighth layer of the OSI model. Management silos, business units, departments, and systems that get exempted by default -- even if you have a brilliant idea for securing company assets, you might not be able to deploy it.


1  2  3  4  5  6  Next Page 

Sign up for CIO Asia eNewsletters.