After more than 25 years as a computer security consultant, I've learned that the "secret" to good computer security is to do the simple things that we all know we should be doing better. The more I'm considered an "expert," the more I realize that almost any child could tell the world how to protect computers.
With apologies to Robert Fulghum, author of the perennially best-selling book, "All I Really Need to Know I Learned in Kindergarten," here's my attempt to share the simple truths of good computer security.
[ 6 lessons learned about the scariest security threats | It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
We are more alike than different
Every company I visit thinks it's terrible at computer security, and truth be told, that's usually correct. They also believe other companies are doing security a lot better than they are, and they want to learn their protection secrets of success. Based on my experience consulting with the world's leading companies, this inquiry pops up most frequently: "How is company X doing computer security?"
The reality is, with few exceptions, every company I've visited does a bad job at computer security. Every company does a few things very well, a few things OK, and most things horribly. They don't patch well, they don't do event monitoring right, and they spend the majority of their time concentrating on projects that will not reduce risk by much.
They also share the same outcome: They can be exploited at will by any motivated hacker. If there is any comfort in the computer industry, perhaps it's that everyone is as bad as your company at stopping malware and malicious intruders.
Everyone is dealing with successful malware exploits, APT attacks, stolen intellectual property, and network cleanups. They're all desperately trying to figure out how to decrease the badness. No one, not even me, has it all figured out. No "experts" can legitimately guarantee you that if you do X, Y, and Z, the badness will be gone.
Talk to your friends
If there is a hidden jewel in this ugly situation, it's that a lot of people and companies are going through the exact same ordeal. They're trying all sorts of strategies and tactics, with varying levels of success. They also want to learn what you're doing and share their own successes and failures.
Many companies have reached out to other companies in their industry, formed informal coalitions, and shared their experiences. They share goals, projects, and vendor stories, and they establish formal networks. If they need help, they can quickly reach out to each other. If you or your company doesn't belong to a similar group, consider joining one or forming your own.