Several years ago I met a young man after he had been terminated from his role in IT security at a large service company. As he explained his work to me, it became apparent that in the most simple and unrefined terms, this guy was a skilled hacker--the kind of person you want on your IT team because you don't want to find out what kind of damage he'd do if he was on the other side. I kind of wondered if he was hired so the company he worked for would have some measure of comfort that they knew what he was doing. . .at least during the day.
I was reminded of this man after listening to Ron Rittenmeyer, President and CEO of EDS speak at the Ernst & Young Management Briefing Series presented by SMU's Cox School of Business. Mr. Rittenmeyer's presentation could make you afraid to share any information more personal than your shoe size. But his balanced and reasonable perspective gives one confidence that the battle for IT security has not been lost and that you can still bank on-line and sleep at night.
What struck me most during Rittenmeyer's talk was how much the subject of IT security is like the issue we discussed yesterday. It seems that like politicians, some IT departments can't get attention without a crisis. In many organizations the need for greater levels of security is recognized only after that security has been violated. After hundreds of credit card numbers show up on someone's PC a reactive step gets taken to enhance security when a proactive initiative might have prevented the problem from ever taking place. But how do you get people to invest in a solution to solve a problem you don't yet have?
The consensus from yesterday's comments is that our society tends to be reactionary by nature--an unfortunate situation for those charged with trying to protect sensitive information for companies and individuals. But organizations that play light with security need to consider this: If you don't have time or resources to invest in preventing a problem--what makes you think you'll have the resources you need to fix the problem after it happens?