Modern Middle Manager
Primarily my musings on the practical application of technology and management principles at a financial services company.
Are You Paranoid Enough?

Thursday, January 02, 2003  

Why is it that every article about security assumes that most attacks are external? This article could have been much, much shorter, better and far more useful instead of being a pitch for bigger security budgets spent on intrusion detection. Here's my take:

1. The number one problem with security still remains internal. Procedural controls, the classification of data and employee security awareness are more important than spending all your time on intrusion detection. The article doesn't make that point until almost the end. I liked the 90-day security plan as a very basic framework. Want more? Check out this book.

2. However, there are bad guys out there. So what do we need to keep them out? Well, ask yourself what the risks are, their probability of success and the likely loss. That's called risk management, and it's how security budgets should be determined. Trying to create a revenue-driven metric for security is kind of like chewing on your own brain -- it's that particular twisting of reality that only a marketing weenie could invent.

3. How do we justify what we spend on internal and external controls? Go back to point #2. At some point your controls will break down and you will either have employee malfeasance or a successful intrusion. It will cost you money. The question is how much you're willing to lose.

What I find interesting is that this article refers to a financial-services executive who couldn't put a value on security. What's worse is that any financial services company is going to be regulated, so the examiners who gave this company a clean bill of health should be strung up and shot. Or this executive is a doofus. In either case, I wouldn't be pleased. As a regulated firm, my company undergoes a regular examination every year from the Office of Thrift Supervision supplemented by a third-party exam every other year. This is a reason anyone putting significant sums of money in a financial services company should ask for, and read, the SAS 70 audit that gets produced from the exam. Do yourself a favor and make sure you're not putting your hard-earned loot in an institution secured by morons.

posted by Henry Jenkins | 1/02/2003 11:37:00 PM

Comments: Post a Comment
the author
open source