Focusing on the wrong priorities
This is my pet peeve. It's rare I find a customer who actually focuses on the cause of the biggest problems. For example, when a company's security is compromised, in most cases an end-user was tricked into running a Trojan or exploited via unpatched software. That's the case for 99.9 percent of all exploits. Yet almost every shop I visit has poor end-user education and poor patching. Usually the stuff that's most exploited (like Java) ends up last in line for patch updates.
I get invited to help install PKIs, network access control products, intelligent firewalls, and a bunch of other items that rarely have a big impact on the security of the environment. The customer spends hundreds of thousands -- if not millions -- of dollars on a huge, "advanced" rollout that probably won't net much bang for the buck.
If you're a CIO or CSO, do you know for sure what's causing the greatest number of exploitations in your environment? Do you have metrics to back it up? If so, are you committing the right amount of money and other resources to address the biggest problems in your environment? If not, what's stopping you?
Not accounting for drift
Consistency is the bane of hackers. Drift is how far off from the original configuration a computer or device has become. Less drift equals a lower security risk.
If I were ever a CSO again, I'd make most of my monthly metrics report about drift. How many end-user computers are running apps neither installed nor approved by IT? How many computers didn't get fully patched this month? How many servers are no longer configured the way we originally configured them? How many IP addresses aren't managed? The list goes on. The more IT stays on top of these factors, the lower the risk.
What can you do about these mistakes? For starters, it can't hurt to print out this article and "accidentally" leave a few copies around the office.
This story, "3 security mistakes your management is making now," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.