Conventional wisdom isn't

Doing the same thing everyone else does isn't always best

I wish I could relate a specific conversation, but I can't. Maybe I'm trying to block the words. But I can tell you about conventional wisdom. You know what I mean -- like the idea that something must be true just because everyone says it is.

There's plenty of conventional wisdom around, and it can cause problems in all sorts of ways. But we're here to talk about enterprise security, so let's look at conventional wisdom there.

One good example (if the conversations I join with security professionals is any indication) is the advice that what your company needs to ensure its security is a good firewall, frequent updates and patches, and some good anti-virus software. If you have these, you'll be safe, says conventional wisdom.

Or there's the idea that you should make your enterprise impregnable. Imagine a kind of digital Maginot Line around your network, something that is so impenetrable that no one could possibly break in. That, the conventional wisdom goes, is sure to discourage break-ins to your network, forcing the bad guys to go elsewhere.

So managers who believe in such things go busily about their work, acquiring products they don't really understand, to perform tasks they grasp only dimly. Hey, if it costs a lot of money, it must be good.

But (as you no doubt expect I'm about to say) it's not. Or at least not completely. This is not to suggest that your enterprise doesn't need a firewall, or anti-virus software, or any other sort of digital fortification you might want to put between your network and the barbarians. It's just that these measures won't ensure your safety, despite what conventional wisdom might say.

What will ensure the safety of your enterprise is creating a security implementation specifically designed for your company, your employees, and your customers. Sure, you'll still need a firewall, but maybe you also need something to help keep an eye on emerging threats that almost make it through the firewall. Or maybe you need some sort of early warning system so you can prepare for the virus du jour before you start seeing thousands of e-mails all proclaiming "I love you."

Now, if I were most columnists, this would be the part where I'd start imploring you to "Think Outside The Box," (note that when people say that, they speak in capital letters). The problem is, I don't really understand what that means. So instead, what I can say is ignore the box -- if there is a box -- and pay attention to the basics of your business. If you were trying to keep people out of your cash drawer, what would you do? There are all sorts of alarms, dye packets, guards with machine guns, missiles, and chemical weapons that would protect your cash drawer, but you can accomplish the same goal by taking the cash out at night and depositing it in the bank and keeping the drawer locked the rest of the time. Then you limit your exposure by keeping only the minimum cash required for the day in the cash drawer.

So why is it that the conventional wisdom seems to have you putting all of your corporate data in one easily reached place, and then leaving it there forever? Isn't your corporate data as important as the cash in your cash drawer? No doubt it is, but conventional wisdom would have you ignoring basic safety and security and keeping your data available and on site instead.

Maybe you do need to keep some of your company's data handy, but all of it? Perhaps it's time to ignore the conventional wisdom and pay attention to what your company actually needs. It is, after all, your company, and it's different from all the other companies. So why would you need a conventional solution touted by conventional wisdom?


Copyright © 2003 IDG Communications, Inc.