McGovern's "Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security"
James McGovern over at the Enterprise Architect blog wrote a really fantastic Letterman's Top 10 of mistakes that CIO's make regarding enterprise security. I've listed his in its entirety below and added a couple mineself... ;)
Use process as a substitute for competence: The answer to every problem is almost always methodology, so you must focus savagely on CMMi and ITIL while not understanding the fact that hackers attack software. Ostritch Principle: Since you were so busy aligning with the business which really means that you are neither a real IT professional nor business professional, you have spent much of your time perfecting memorization of cliche phrases and nomenclature and hoping that the problem will go away if you ignore it. Putting network engineers in charge of security: When will you learn that folks with a network background can't possibly make your enterprise secure. If a hacker attacks software and steals data yet you respond with hardware, whom do you really think is going to win the battle. Over Rely on your vendors by relabelling them as partners: You trust your software vendors and outsourcing firms so much that you won't even perform due diligence on their staff to understand whether they have actually received one iota of training Rely primarily on a firewall and antivirus: Here is a revelation. Firewalls are not security devices, they are more for network hygiene. Ever consider that a firewall can't possibly stop attacks related to cross site scripting, SQL injection and so on. Network devices only protect the network and can't do much nowadays to protect applications. Stepping in your own leadership: Authorize reactive, short-term fixes so problems re-emerge rapidly Thinking that security is expensive while also thinking that CMMi isn't: Why do you continue to fail to realize how much money their information and organizational reputations are worth. The only thing you need is an insulting firm to provide you with a strategy: Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed Getting it twisted to realize that Business / IT alignment is best accomplished by talking about Security and not SOA: Failing to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security. Let's be honest, your SOA is all about integration as you aren't smart enough to do anything else. Put people in roles and give them titles, but don't actually train them: Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.
Here are some of my favorites that I've added. I'll work on adding the expanded explanations later:
- Keep talking about threats and vulnerabilities and not about risk
- Manage your security investments like throw-away CapEx cornflakes and not as a portfolio
- Maintain that security is a technology issue
- Awareness initiatives are good for sexual harassment and copier training, not security
- Security is top secret, we can't talk about what we do
- All we need to do is invest just enough to be compliant, we don't need to be secure
- We can't measure security effectiveness
- Virtualization changes nothing in the security space.
- We've built our three year security strategy and we're aligned to the business
- One audit a year from a trusted third party indicates our commitment to security
Got any more?
/Hoff
