Welcome to The UltraTech Zone Sign in | Join | Help

Talking Out Loud with ASB

Views on Life, Technology and Everything, by ASB (aka Logik!)...

My Profile

Andrew S. Baker (ASB)

News

  • Platform: CS v2.1 SP2...

    Get a FREE phishing filter for your domain!

    Who links to my website?

    Pando Pro

Lessons from 2009: Functionality still trumps Security

Yes, you heard me correctly…

We still think about personal and corporate security only as an afterthought.

Despite all the regulatory and industry compliance that has been created and updated in the past 15 years, as we close out this decade, we are hardly any closer to proactively applying security guidelines in our personal or professional lives.  Certainly, we don’t apply them ahead of convenience or functionality, in any event.

  • We still leave our keys under our welcome mats, or inside our flower pots, or inside our garden gnomes.
     
  • We still hate using passwords, still use feeble ones, and still write them down on sticky pads pasted to our monitor or the bottom of our keyboards.
     
  • We still share the same password(s) across all our corporate accounts and our internet accounts.
     
  • We still don’t lock our workstations when we leave our desks, or password protect our sensitive PDAs and smart phones.
     
  • We still disclose sensitive information on websites that are not using SSL and are only “protected” by feeble passwords.
     
  • We don’t pay for preventative information security solutions or apply best practices unless we think we *may* have been compromised.
     
  • We prioritize new functionality over operational security, even though new features are a common source of security issues in the first place.
     

As consumers, we are willing to pay for products if they have the right features, but rarely will we inquire about how safe or secure they are – and even less commonly are we will willing to pay extra for safety or security.  This gives the vendors no incentive to prioritize security until something bad has happened™.  We’ve got to get past the acknowledgement that vulnerabilities are a given, and get to the place where we hold people accountable for issues that could have been foreseen and mitigated in advance.

We cannot expect to hold vendors accountable for security failures if we continue to value non-security features ourselves – not in a free market society, anyway.  They’re only going to produce what we’re willing to pay for, and so far security is not what people clamor for.

 
What the Future Holds…

Having said all that, however, I predict that the next 15-24 months will bring more penalties for organizations small and large that fail to be proactive in their management of information security and privacy concerns.  There will be embarrassing disclosures of personal data, and many more small-to-midsize firms will find themselves having to deal with the aftermath of data security breaches, given that 45 states currently have breach notification laws on the books, and a Federal breach notification law is on the horizon.

Expect the 2010 list of data breaches to be even larger than the 2009 list.  It’s definitely going to get worse, before it gets better, and the consumer response to such negligence will be debilitating for the offending companies.  There are lots of vulnerabilities floating around in the wild, in addition to targeted attacks by an increasingly sophisticated malware underground.

Now is the time for prudent business owners to make true information security a priority, recognizing that a secure enterprise is actually a business driver, and lowers the costs associated with attaining regulatory and industry compliance.  Those who continue to approach security in a reactive way will spend more money, and use more resources, and generate less revenue than those who make information security an underlying part of their business operations.  Security is a way of life, not a periodic event, and it’s about time we started behaving this way. 

No matter how expensive we think security is, the costs are always less when paid upfront rather than after an incident.  The question we should be asking ourselves isn’t “can I afford this security?” but rather “can I afford not to have this security?”

Collectively, we can hold organizations accountable for inadequate security and privacy practices and functionality – but we have to start with our own personal security.  Don’t just pay lip service to security issues, or you could find yourself paying real dollars to rectify a huge mess in your personal or professional life.

Let’s start this new decade on the right foot, and not perpetuate the information security sins of the past.

Share Post:
Posted: Thursday, December 31, 2009 6:34 PM by Logik!

Comments

BrainWave Technology Tidbits said:

Yes, you heard me correctly… We still think about personal and corporate security only as an afterthought.

# December 31, 2009 6:44 PM
Anonymous comments are disabled

About Logik!

Andrew S. Baker aka ASB aka Logik!

Andrew S. Baker is a business-savvy, hands-on IT leader with expertise in mentoring people, mitigating risk, and integrating technology to drive innovation and maximize business results. He creates competitive advantage for organizations through effective IT leadership: implementation of processes and controls, and architecture of robust business solutions.

Mr. Baker has successfully led a number of high-performance technology teams in designing, deploying and maintaining secure, cost-effective computing environments for well-known companies, including Warner Music Group, The Princeton Review, Bear Stearns, About.com, and Lewco Securities.

For over a decade, Andrew has exhibited thought leadership on technology and business topics via mailing lists, technical forums, blogs, and professional networking groups, along with contributions to podcasts, webinars, and over 20 technical/business magazine articles. He also serves on several boards and committees for non-profit organizations, and within the Seventh-day Adventist church.

His personal interests include Astronomy, Basketball, Bible Study, Chess, Comics, Computers, Family Life Ministries, Reading, Strategy/Role Playing games, and Professional Networking...

A summary of Andrew's current résumé is available here, and he can be reached on a variety of social and professional networks, including LinkedIn, Facebook and Twitter.