Submitted by Philip Storry on
We're trying to change a culture here.
At first, IT was a strange thing in big offices with big expensive kit that worked miracles.
Then, it came down to the desktop, and allowed anyone to perform smaller miracles.
Next, we connected those desktops and gave everyone the benefits of sharing files, emails and so forth.
Recently, we interconnected all the separate business networks via the internet, which was a huge boon but also a security bane.
Security shouldn't be invisible, it should be normal. It should be part of every project, of every procedure, of every technology. But as IT became so ubiquitous that it entered everyone's personal lives as PCs, MP3 players and smart phones IT also became something that people regarded as a commodity - something that "can't be expensive" and "can't be difficult".
Here in IT, we're kind of young. This is a cultural challenge we've never faced before. So let's look at another industry where they have a similar issue - the construction industry. There, safe working should be part of every worksite. Every access point, every construction phase, every job, every bit of equipment - they should all have the safety of the workers in mind. Workers may well be available, but they should not be regarded by the construction companies as a commodity - they require protection.
So every building site has a big sign at the worker's entrance, declaring "no hat and boots, no job".
Health and Safety is still visible, and in a big way.
But it's also just normal. That's the way it is in the construction industry.
Why? Because the law states that if a Health and Safety breach occurs, people can go to jail. It's not just fines. It's potentially their liberty. In the 1970's we got tired of workers being treated as a commodity, and dealt with it accordingly.
You want the attention of these idiot CxOs? Easy. If they get compromised and they can't show that they took security issues seriously, then as well as the company being fined they get the joy of going to court to defend themselves from jail time.
Just like health and safety issues, we probably won't get any traction until we focus the minds of our "best and brightest" CxOs. After a few have gone to prison, companies will take this seriously and then it won't be invisible, but it will become normal - which is what we actually want.
But until then, good security will just be a cost to be shaved as thin as possible.
(This was written in response to a comment on this article at The Register. The comment I was replying to was deleted, leaving no context, so I decided to rewrite and expand upon my thoughts.)