Part of the problem with working IT security is proving your worth. Bean counters can easily dismiss IT security as a money pit because we haven't been hacked. Proving that negative when budgets are tight can be challenging. I've actually heard the argument that IT security staff should be laid off because "who would bother hacking into our company?" Of course, the answer is obvious -- hordes of 14-year-old kids armed with underground hacking tools and boredom. Or, if you're unlucky, a Russian criminal organization that decides you're worth hacking after all.
The best way to try to protect against attack is to hire competent security people -- but also to make sure that new projects are not rushed into production in an effort to meet some kind of deadline defined by nontechnical management. That's exactly how big security holes are created and how everything falls apart very quickly.
Also, make sure you're conducting regular internal and external security audits from highly reputable firms. This should include everything from external penetration testing to training employees to avoid social engineering ploys. In addition, regularly scan for rogue access points and keep close tabs on what goes into and out of the data center -- and what's actually in there. After all, a SheevaPlug looks like a wall-wart power supply and could be doing all kinds of nasty things while affixed to a wall behind a desk when nobody was looking.
I know this advice sounds like your dentist admonishing you to floss three times a day and brush five, but it's good practice, even if these measures won't protect you from a few thousand loosely organized teenagers armed with Low Orbit Ion Cannon and IRC.
Let's face it, protecting an Internet-connected network of any size is no simple task, and it'll only get harder. If you've never been compromised, it's probably not that your security is all that great, it's because you haven't been noticed -- yet.
This story, "How security became mission impossible," was originally published at InfoWorld.com. Read more of Paul Venezia's The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.