InfoWorld Home / Security / Security Adviser / 3 security mistakes your management is making now

Roger A. Grimes

September 05, 2012

3 security mistakes your management is making now

The same security missteps play out again and again. Why can't management focus on the practices that actually lower risk?

By Roger A. Grimes | InfoWorld

Follow @rogeragrimes

Print|

One of the joys of being a traveling consultant is I get to see what does and doesn't work across a wide range of products and companies. Guess what? The same issues pop up again and again.

Here are the three most common big mistakes I see senior management make regarding computer security. Some are errors of omission, others of commission. All of them tend to have severe consequences.

[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld's "Fight Today's Malware" Shop Talk video and Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]

Buying vendor hype without testing
Almost every computer security product promises the world: Zero false positives! 100 percent accuracy! Hackers banished forever! Those of us in the field know such claims can't be met -- at least not in any practical way. The cost would be impossibly high.

For antimalware software to reliably detect 100 percent of all malicious apps, for example, it would take the product 10 times longer to scan, it would slow down your system even more than it already does, and you'd have to put up with an incredible number of false positives. The accuracy level today seems to be the best we can get without reducing our PCs to a crawl and generating excessive false alerts.

Faced with hyperbolic claims, senior IT management needs to behave like Doubting Thomas and challenge vendor assertions. When the sales pitch reaches a crescendo, say two simple words: "Show me." Make the vendor install the product for an extended test. Tell your vendors ahead of time that that your team is known for making the vendor to prove its claims in a real-world testing scenario.

Proof-of-concept testing tends to get a few results. First, it makes the vendor put up or shut up. Second, everyone gets to see how it works in a real-world environment. Third, the testing phase tends to build good vendor relationships. Everyone gets to learn about each other, friendships form, and a better outcome is more likely.

Tags: Security, Malware, Patch Management, Vulnerability Assessment

Print|

additional resources

Service Desk Comparative Report

White Paper

Service Desk Comparative Report

Gartner's recent magic quadrant for IT Service Support Management included no vendors as leaders or innovators. Learn why and how ITinvolve is delivering an innovative service desk solution that empowers IT staff through social collaboration and visualization to improve incident analysis and triage to speed incident resolution time.

Read now »

View the discussion thread.

List of all recent posts

Recommended Resources

See all White Papers / Webcasts Recommended Resources

Recommended Resources

See All Jobs » Post a job for $295 »

Jobs powered by SimplyHired

Data Storage Stress? AT&T shows you four easy ways to get relief here.Intel®-based tablets think the way you work. Find one for your business Is your BYOD plan exposing you to risks? Top BYOD Issues to Address Splunk - Machine data goes in, business insight comes out. Learn more.Cisco SmartPlay -UCS C24 M3 Rack Server with Intel® Xeon® processors Jumpstart business transformation with VCE solutions for SAP Platform without Boundaries - Extend your Datacenter Check out Gartner Predicts 2013: Application Integration Rugged and reliable Panasonic Toughbook® mobile computers.Fight on-premise, zombie ERP with the Plex Cloud.Arbor Networks stops DDoS and advanced threats - learn more The next performance revolution is here - Compuware APM for Mainframe.Reduce Your TCO: Deploying Content Management in the Cloud.Save ~$500 Per Node over 4 Years with Supermicro® FatTwin™ SuperServer®!EMC Introduces World's Most Powerful Hadoop Distribution: Pivotal HD Looking for a Security Scan to find Network Monsters? Try PureCloud for FREE And find out where your vulnerabilities may be lurking.Redefine Mobility Mgmt at Enterprise Mobile Hub Top Ten Myths About Recovering Deleted Files Free VMware Backup: VeeamZIP for your VMs!Webcast: A Breakthrough in Service Delivery for Data Center Workloads

Imagine a future shaped by simplicity. See it at HP Discover 2013. Register Now.How big is your 'phishing attack surface'? Find out now. A new free service!Improve your ROI by the power of three with HP Converged Storage.Intel ProLiant -Double compute density to tackle bigger workloads with HP ProLiant servers. Learn more Cisco SmartPlay - limited-time offers on Cisco UCS C-Series Servers Focus on business, not infrastructure with VblockTM Systems from VCE The power of HP Converged Infrastructure is here. Click here to learn more.What's your Integration Strategy? View Gartner Predicts 2013: Application Integration.Prestigious Online Masters Degree. Now earn your Master of Science in Information Technology Systems (MSIST) from GWSB. Learn more.Cervalis robust co-location, managed hosting, cloud computing.AirWatch - Leader in the Gartner Magic Quadrant Report for MDM. Download Now Transform enterprise IT with ServiceNow. See how easy IT can be.Connect to the Cloud faster with Comcast Business DEMO Velocity: Create branded interactive live events & training.See how Royal Caribbean is unlocking intelligence w/ Windows Embedded.Need low cost storage to protect precious content? Six is the Fix! Use LTO-6 Tape!openBench Labs: How Diskeeper 12 Keeps the Latest Windows OS Running Like New IDC Report: Managing the I/O Explosion Without Extra Hardware Storage, speed, security. Lexar Media Enterprise solutions get down to business.See IBM CloudBurst's self-service user interface in action

InfoWorld Technology Marketplace

» BUY A LINK NOW

©1994-2013 Infoworld, Inc.