Does Anyone in IT Really Care About Security?

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Noted cryptography expert Bruce Schneier may be the world’s top authority on computer security. He’s written his own encryption protocols, for God’s sake, and he almost got the TSA to admit that it’s useless.

You would think that Schneier would have the most secure home network on the planet, but that’s not the case. Schneier’s Wi-Fi setup doesn’t use the latest security protocols. In fact, there’s no encryption on it at all.

In a surprising blog post that generated a ton of commentary when he wrote it in 2008, Schneier called his policy one of “basic politeness,” providing Internet access for his guests and anyone else that might happen to wander by. Risks? Sure, even Schneier admits they exist – has the old “someone else downloaded music/movies/child porn using my Internet connection” argument has been played out by now? – but that they aren’t realistic. Hackers parking in front of his house? Neighbors breaking into his desktop to steal his tax return? Really?

Don’t get me wrong: I applaud Schneier for his chutzpah in opening up his network to his community. I wish I had the stones to do it, but I live in a densely populated city and my network is slow enough as it is. An open network in an urban environment virtually ensures you’d be redlining your connection with BitTorrent activity 24 hours a day.

But still I have to wonder: Has Schneier’s cavalier approach to security given IT the wrong idea? After all, if the man that ought to be the U.S. Cybersecurity Czar leaves his personal network open, why should any of the rest of us worry?

The modern tech worker has a hell of a job on his hands. Whether it’s part of his job or not, he faces a barrage of requests coming down from on high on a near daily basis. How many of these have you heard in the last few months? Figure out a cloud strategy. Determine what the company is going to do about tablets. Will you use HTML5 or Flash on the new website? Or both? Develop an iPhone app. And an Android app. And a webOS app. (OK, joking about that last one. No one develops webOS apps.) And of course, there’s infrastructure to contend with – you know, your actual job – and that aging fleet of laptops and desktops isn’t getting any younger.

Against this backdrop, IT is of course also tasked with keeping all of these things safe from harm. But security has now become one of those things that is routinely ignored unless there is a problem.

This is not a new iisue. Security rarely makes the news unless a breach has occurred, and it has to be a major one at that. Stories of stolen credit cards, Social Security numbers, and user names and passwords are now common to the point of tedium. To be sure, no CEO wants to have to deal with the damage control and expense that comes with being the victim of one of those attacks. But what guidance does the executive team offer aside from “don’t let that happen to us?” And, more importantly, what kind of money is management ever willing to invest in equipment, staff, and training on all manners security? What reward has IT ever received for preventing a security breach, anyway?

It’s a head-in-a-hole mentality that certainly rubs off on IT.

This isn’t hyperbole. It’s in this environmental combination of apathy, ignorance, and stinginess that earlier this year Unipshere Research, Application Security Inc., and the Oracle Application Users Group collectively polled 430 OAUG members to inquire about their security habits and knowledge level. The poll covered people who touched just about all aspects of the IT function, from IT directors down the line to analysts and financial management professionals.

The results are alarming. Only 22 percent of those polled claimed to be “extensively involved” in security, and just 4 percent said they were “fully informed about security breaches within their organizations.” One-third “expressed a lack of understanding of security threats” making the rounds.

And then things really get scary: 80 percent of those who said their companies had a security breach last year didn’t have key details about the attack. And only 10 percent could quantify how much the breaches cost to clean up.

How about the overall budget for security? More than half of the respondents didn’t know what it was, or simply didn’t have one. And half – the other half, presumably – said that they felt that their security budgets were too small.

The OAUG called the results “surprising.” Computerworld used the more appropriate term in its headline: Disturbing.

One gets the impression the members of the OAUG didn’t just not care about security, they didn’t particularly care about the results of the security poll, either.

So where does that leave us? Everyone from management to the rank and file seems to look at security as a chore, as “someone else’s job” to do. There aren’t any easy solutions to this, of course, even a massive top-down initiative to put the issue at top of mind. Anyone remember how well that stunt turned out for Microsoft? (Here’s a hint.) Maybe it’s hard after all to blame anyone for simply pulling up the covers and wishing that all their security problems would just go away.

Christopher Null writes about technology extensively for Wired, PC World, and Maximum PC. He was the founder and Editor-in-Chief of Mobile PC magazine and spent four years blogging about tech daily for Yahoo! You can find his running commentary at chrisnull.com.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.