The Ashimmy Blog

Last week I wrote an article in response to a post by Michael Farnum, on the fact that too many times, we only do what is good enough when it comes to security.  I went on to say that I think all too many times in our society in general, we have become a nation of good enoughers.  A few readers commented and wrote that they actually do the best they can and are stretched to the limits of their capacity to do what they are presently doing.  My good friend Mike Rothman commended me for my enthusiasm but told me I was barking up the wrong tree. The problem is security is a necessary evil, sort of like insurance says Rothman.  Richard Bejtlich in his Tao Security blog posted some of his notes from the 2006 Techno Security Conference regarding a presentation by Marcus Ranum.  Marcus said "security ROI is dead' according to Betjlich and "legislation has made security a cost".  OK guys, I get it.  However, let me say I think I was misunderstood.

Who I was referring to about the good enough thing, was not the many over worked, underpaid security admins out there.  I was referring to those folks who are more interested in complying with regulations that in actually providing security.  The guys who just want to check the box, instead of protecting their data.  I know for some of you out there the fact that there are people like this out there maybe difficult to believe.  However, as someone who sells and speaks to hundreds and thousands of companies, believe me when I tell you, there are people like that out there.  Another major issue we see is, that many well intentioned security admins out there know just what they should be doing and how to do it.  The problem is they have not been trained or have the experience in translating these technical issues to business issues to upper management.  Subsequently it is easiest to just fall back to regulations to make the sale.  Bottom line is for every person like Michael at MCW Research, there is at least one lazy administrator who is doing just enough.  As long as there is a sizable amount of people like that we will have security is that is maybe good enough, but not enough.