One of the joys of being a traveling consultant is I get to see what does and doesn't work across a wide range of products and companies. Guess what? The same issues pop up again and again.
Here are the three most common big mistakes I see senior management make regarding computer security. Some are errors of omission, others of commission. All of them tend to have severe consequences.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld's "Fight Today's Malware" Shop Talk video and Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]
Buying vendor hype without testing
Almost every computer security product promises the world: Zero false positives! 100 percent accuracy! Hackers banished forever! Those of us in the field know such claims can't be met -- at least not in any practical way. The cost would be impossibly high.
For antimalware software to reliably detect 100 percent of all malicious apps, for example, it would take the product 10 times longer to scan, it would slow down your system even more than it already does, and you'd have to put up with an incredible number of false positives. The accuracy level today seems to be the best we can get without reducing our PCs to a crawl and generating excessive false alerts.
Faced with hyperbolic claims, senior IT management needs to behave like Doubting Thomas and challenge vendor assertions. When the sales pitch reaches a crescendo, say two simple words: "Show me." Make the vendor install the product for an extended test. Tell your vendors ahead of time that that your team is known for making the vendor to prove its claims in a real-world testing scenario.
Proof-of-concept testing tends to get a few results. First, it makes the vendor put up or shut up. Second, everyone gets to see how it works in a real-world environment. Third, the testing phase tends to build good vendor relationships. Everyone gets to learn about each other, friendships form, and a better outcome is more likely.