How to Cheat at Managing Information Security

Introduction

These days, any book on servers, firewalls, or protocols will have a whole section, if not several chapters, on why the security policy is the most important component of any firm s information security defense that the policy should be held in awe, like some sort of paper deity that anyone in the industry should pay homage to.

What a load of old nonsense! Such talk has held back the information security industry for many years and provided shelter for industry rogues who have no specialist knowledge or skill. They are wrong, and I ll show you why:

  • Did a policy ever stop a hacker breaking into a network? No, that was a firewall.

  • Did a security policy ever assess the security of a network link and then deem it too dangerous and so force its disconnection? No, that was a brave security auditor.

  • Did a security policy ever stop a worm in its tracks? No, that was antivirus software.

Of course, the hacker didn t stop his exploitation of a hack on a truly vulnerable IIS server when he heard that the organization had a really good security policy. Even some of the best organizations with the best policies didn t stop the MyDoom or Nimda viruses. But maybe, just perhaps, these best policies meant that many corporate computers around the world had up-to-date virus scanners that prevented their infection from these viruses.

That is the key. Security policies don t provide good security; they define security for an organization and...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Network Security Platforms
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.