3. Not understanding that virtualization has pulled the rug out from under everyone's security footing.
Organizations are well on their way to achieving 80% virtualization of their server infrastructure, and desktop virtualization projects are increasing. But security is lagging, with many incorrectly assuming it begins and ends with VLANs. The reality is that virtualization architectures change everything by opening new pathways that can be exploited. As has happened so many times before in the IT industry, groundbreaking technologies have become available for use with inadequate attention paid to the security impact.
Some traditional security products, such as anti-virus software for instance, often don't work well in virtual machines. Physical appliances may have new "blind spots." Today, specialized security products for virtualized environments are finally coming to market -- and security professionals need to figure out if any of them should be used, while also keeping up with evolving security plans from vendors such as VMware, Microsoft, and Citrix. Virtualization holds tremendous promise in eventually improving security, especially disaster recovery.
4. Not preparing for a data breach.
It's the nightmare scenario in which sensitive data is either stolen or accidentally leaked. In addition to technical detection and remediation, the law needs to be followed regarding data breaches. But which laws? Almost every state now has its own data-breach laws and some federal rules, such as the HI-TECH Act, impact some industries, like healthcare. When it happens, a data breach is going to be an event -- and an expensive one at that -- that requires coordinated participation by the IT security manager, the IT department, the legal department, human resources and the public affairs divisions, if not more. Organizations should be meeting to plan for worst-case scenarios, conducting a data-breach drill internally.
5. Complacency with IT security vendors.
It's necessary to have solid "partnerships" with IT and security vendors. But the danger in any vendor relationship is forgetting how to look at products and services with a critical eye, particularly in terms of sizing up what they have in relation to their competition or finding new approaches to basic problems of authentication and authorization, vulnerability assessment and malware protection. Many vendors are struggling to adapt traditional security controls to the realms of virtualization and cloud computing. In some sense, it's a time of chaos as the IT industry undergoes a reinvention. But that only means that IT security is going to have to push harder to get what it believes the organization needs now or in the future.
Read more about wide area network in Network World's Wide Area Network section.