One of the joys of being a traveling consultant is I get to see what does and doesn't work across a wide range of products and companies. Guess what? The same issues pop up again and again.
Here are the three most common big mistakes I see senior management make regarding computer security. Some are errors of omission, others of commission. All of them tend to have severe consequences.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld's "Fight Today's Malware" Shop Talk video and Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]
Buying vendor hype without testing
Almost every computer security product promises the world: Zero false positives! 100 percent accuracy! Hackers banished forever! Those of us in the field know such claims can't be met -- at least not in any practical way. The cost would be impossibly high.
For antimalware software to reliably detect 100 percent of all malicious apps, for example, it would take the product 10 times longer to scan, it would slow down your system even more than it already does, and you'd have to put up with an incredible number of false positives. The accuracy level today seems to be the best we can get without reducing our PCs to a crawl and generating excessive false alerts.
Faced with hyperbolic claims, senior IT management needs to behave like Doubting Thomas and challenge vendor assertions. When the sales pitch reaches a crescendo, say two simple words: "Show me." Make the vendor install the product for an extended test. Tell your vendors ahead of time that that your team is known for making the vendor to prove its claims in a real-world testing scenario.
Proof-of-concept testing tends to get a few results. First, it makes the vendor put up or shut up. Second, everyone gets to see how it works in a real-world environment. Third, the testing phase tends to build good vendor relationships. Everyone gets to learn about each other, friendships form, and a better outcome is more likely.
Focusing on the wrong priorities
This is my pet peeve. It's rare I find a customer who actually focuses on the cause of the biggest problems. For example, when a company's security is compromised, in most cases an end-user was tricked into running a Trojan or exploited via unpatched software. That's the case for 99.9 percent of all exploits. Yet almost every shop I visit has poor end-user education and poor patching. Usually the stuff that's most exploited (like Java) ends up last in line for patch updates.
I get invited to help install PKIs, network access control products, intelligent firewalls, and a bunch of other items that rarely have a big impact on the security of the environment. The customer spends hundreds of thousands -- if not millions -- of dollars on a huge, "advanced" rollout that probably won't net much bang for the buck.
If you're a CIO or CSO, do you know for sure what's causing the greatest number of exploitations in your environment? Do you have metrics to back it up? If so, are you committing the right amount of money and other resources to address the biggest problems in your environment? If not, what's stopping you?
Not accounting for drift
Consistency is the bane of hackers. Drift is how far off from the original configuration a computer or device has become. Less drift equals a lower security risk.
If I were ever a CSO again, I'd make most of my monthly metrics report about drift. How many end-user computers are running apps neither installed nor approved by IT? How many computers didn't get fully patched this month? How many servers are no longer configured the way we originally configured them? How many IP addresses aren't managed? The list goes on. The more IT stays on top of these factors, the lower the risk.
What can you do about these mistakes? For starters, it can't hurt to print out this article and "accidentally" leave a few copies around the office.
This story, "3 security mistakes your management is making now," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.