 |
Is it just me or does everyone get a bit nervous when government officials state:
|
I do not disagree. It corresponds to an attitude reverberating throughout the industry. Heads of companies are asking, “What benefits are we getting from the money we have been pouring into IT?” Yes, the dreaded ROI question. As IT becomes a greater percentage of a companies budget, this becomes an even more important question. Security is especially susceptible to this because it is not so much about producing as preventing. It does not matter if your group is private or government, large or small. There is always some degree of accounting that must be done. Now, politicians are prone to demand accounting, mostly when things go wrong. Though, they probably really don’t want a truthful accounting. It would show the odd way things are done/funded.
An interesting news item that does make one wonder how many layers of security had to be busted to allow this to occur:
http://www.cbsnews.com/stories/2006/12/05/national/main2232633.shtml
The FBI has conducted two interviews and may schedule a third with the woman who walked out carrying classified documents from what’s supposed to be one of the most secure facilities in the world, the Los Alamos National Laboratory, CBS News has learned. The incident has exposed continuing security weaknesses at Los Alamos, which has been the focus of security and management scandals for seven years.
The government is moving towards better trained workers, in both their employees and their contractors:
http://www.fcw.com/article96954-12-04-06-Print&secnewsletter=yes
Contractors advised to follow DOD regs on security training Mandated security training for DOD workforce applies to DOD contractor employees, too.
Of course, security is not only about risk but also about costs. With additional disclosure laws and legislation being passed regularly, agencies find themselves in a different environment (never mind the risks of our changing world). Speaking of disclosure, the Attrition site provides an open source database of data breaches. It is for data analysis, but it does make for a nice look through. Visit :
http://attrition.org/dataloss/dataloss.csv
For a site more readable by humans, take a look at the Privacy Rights site. It must be the open source side of me, but I do believe all this is leading us to a more secure world. Security through obscurity only protects you from those who are not very sophisticated. That is well and good, and for some, it can end there. But I never did care much for the ostrich approach to security. In today’s modern world, where we are so closely connected. Many organizations better improve their security. It is better to find the problems, fix them, and in so doing build up your level of security. It is the price one has to pay to be connected.
