Security Pros Bemoan the Need for Focus 62
Ant writes "Computerworld has an article about more proactive initiatives falling by the wayside. Operational and tactical considerations continue to dominate the IT security agenda, despite a growing need for more strategic approaches to data protection."
A serious issue... (Score:2, Insightful)
When I first saw the FDA requirements, I was horrified, but after thinking about it a while, I started wondering why al systems don't take this kind of approach.
It comes back to the old "when you're up to your ass in alligators..." problem. If you can deal with some issues on a more strategic level, you can try to design many of the day-to-day problems out of the system, allowing sysadmins to spend less time fixing the same problem over and over again.
Re:More of a strategic planning process.... (Score:3, Insightful)
But, but...that is the strategy.
Dude, I'd give you a free clue but you have to be able to hold it first. *bonk*
Security Pros are between a rock and a hard place. (Score:4, Insightful)
Security has always been the bastard stepchild of the IT world. Nobody wants to spend any money or time on it, but it is the biggest reason why networks fail. It's akin to buying insurance for your network. While some high-end gurus want to come up with methods of protecting networks on a high-level, the folks who are writing virii and spyware are working on new methodologies to counteract the standards. Compare this with the way battles were fought during the American Revolution - the British lined up in neat rows, and some American snipers hid in the surroundings. The British bemoaned the tactics, and were generally unable to understand or cope with the revolutionaries who "didn't fight fairly". The end result was Britain was defeated, and having general proactive security plans will also get defeated because the 'bad' coders don't play by the rules.
What may be a good idea is to train and develop more folks who look for security holes and spyware methods and plug them before they get exploited. Anti-spyware and anti-virus companies could do it, and they could use it as a marketing tool (Our new update protects against the IE URL buffer overflow hack!). Companies like MickeySoft can invest some of that capital they have lying around under their couch cushions to either promote (or buy) and AV company, and it would allow M$ to get exploits identified quicker, and perhaps hush the chatter on how hole-y their software is by fixing those holes before they become public.
So, like the rest of the IT world, I have to go on, day after day, reacting to any new threats that show up on my virtual doorstep. For most admins and security folks, that is their focus. When companies go down for lack of vigilence, their competitors will begin to see the use of having trained folks on-site to watch their backs.