Enterprise security today is in a sad, sad state. Cyber criminals are pulling off millions of dollars in heists on a daily basis. Tens of millions of corporate PCs are infected. Corporate networks are being pwned left and right. Although there is more than enough blame to spread for the situation -- end-users certainly play their part -- senior management deserves the lion's share of the responsibility.
For more than two decades, I've been auditing enterprise networks, and since the beginning, I've heard dedicated IT staffs rail on and on about how management doesn't support improved security. Every enterprise environment I've seen lives in a perpetual state of insecurity, with porous boundaries peppered with long-term vulnerabilities.
[ Download Roger Grimes's new "Data Loss Prevention Deep Dive" PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
Much of it has to do with an outdated approach to calculating security benefit trade-offs. In business, you don't spend money unless the expenditure saves you or gains you more in return. For example, you don't spend a million dollars on antivirus software unless the potential damage you are avoiding would be more than a million dollars. Every computer security decision involves this calculation.
The problem is that for decades, number crunching determined that good computer security wasn't worth the cost. When hackers broke into an enterprise network, no matter how successful the attack was and how much bad publicity was garnered, the company's stock price was either unaffected or even rose. This was not lost on senior management. Thus, for all the years that IT was complaining about poor security and all the risks, management mostly thought it was IT security people being overly worried and crying wolf.