Paying to be Perplexed

Buyers of "IT security" products report that they don’t feel much more secure, but that they now perceive the complexity of their security solutions as their single biggest security challenge — even more so than breach prevention, policy enforcement, user education or risk assessment.

From the story linked above:

So-called "defense-in-depth" is just another way of saying "you’ve got a bunch of technologies that overlap and that don’t handle security in a straightforward manner," says Alastair MacWillson, global managing director of Accenture’s security practice. "It’s like putting 20 locks on your door because you’re not comfortable that any of them works." Yet a case can be made that respondents aren’t worried enough."

MacWillson is further quoted as warning that the complexity of security products is perhaps just the problem that IT operators can most easily see — but that, like the man who lost his keys up the street, it’s possible that those operators are only looking where the streetlight is shiningLeakage of data through theft and carelessness may be much greater risks.

The story I first cited above narrates incidents of trade secrets downloaded from a company’s PDF servers and shopped to competitors, as well as familiar tales of backup devices and laptops being stolen from employees’ cars. It’s all part of a perfect storm of exploding data volumes colliding with escalating standards of governance.

Quoting that same report once more,

Over the past 12 months, the change at Eisenhower Medical Center in Rancho Mirage, Calif., that’s had the greatest impact on security is the health care organization’s move from a paper-based to an electronic patient records system. "This put more responsibility on us to make sure the patient’s data is secure," says CIO David Perez. "And it’s not just the movement of the data online but the volume of that data makes it more challenging. A CAT scan a few years ago would provide 250 to 500 images, but our new system can produce up to 5,000 images."

As more and more physicians and medical staff log on to Eisenhower’s intranet portal to do their work, Perez and his team must increase their monitoring for security problems and ensure that only the appropriate physicians and staff are accessing different medical records, as required by the Health Insurance Portability and Accountability Act.

This isn’t the kind of problem that’s solved by throwing more money into on-premise security technology and questionably effective training. When you’re in a hole, the thing to do is to stop digging.

Issues of information security are perhaps among the strongest arguments for moving key systems into an on-demand space — instead of clinging to the illusion that data are more secure on-premise, merely because the storage devices are where you can see them.

July 31, 2007