I REALLY shouldn’t have to write this piece. There are some things in life that you just learn to do that is built upon the ruin of those who came before you. George Santanya once said “those who do not learn from history are condemned to repeat it”. Out of all of the wisdom passed down to us– from history– you would think this would resonate in 2012, particularly in enterprises where information technology plays such a vital role in success.
And yet we continue to read about major companies– even IT companies for heaven’s sake– that make fundamental freshman security mistakes considered standard practice 20 years ago. Is it because these standard, common-sense security steps just aren’t sexy, and therefore aren’t pursued with the same vigor as an exciting CSI-like forensics investigation? Is it because you really don’t have to BUY technology to perform many of the standard practices that have been patientily codified, process by process, industry by industry? Is it because you lack the drive to deliver security awareness, training, and education into the culture of your organization? Or is it because you’ve grown complacent and lack the energy– in other words, have you grown lazy?
IT security as a priority for executives seems to have slipped in surveys taken in enterprises over the last two years, supplanted by issues that focus on data or applications, sometimes infrastructure. It is hard to know how to interpret that slippage, but one would hope it isn’t because of a perception that the problem has been ‘solved’ or that ‘adequate’ measures have been taken to address most risks. I’m sure that many enterprises have made enough progress to feel that way, and remain vigilant without necessarily consuming a major part of the IT budget to do so. But the news from the industry keeps coming, time and time again, of enterprises that have suffered major breaches or system failures due to simple, preventable occurrences. If we combine these simple issues with (a) a growing level of sophistication and persistence of threats; (b) the growing dimensions of security planning and management that are converging with our current IT security (e.g. physical security, industrial control security); (c) the complexity of ensuring privacy in an increasing consumerized infrastructure; (d) the growth in the number and type of IT service delivery; and (e) the expanding set of regulations that enterprises must comply with in their respective industries– you can see that IT security remains a non-trivial concern.
So what is the lesson here? Let’s apply a radical concept known as common sense to ensure that EVERYTHING that can be done from a process and organizational perspective is done to ensure an effective IT security program is in place and operating at peak efficiency. Do not skimp on security awareness and education– not training, but REAL education that draws upon the lessons we appear to keep relearning as we keep making the same simple errors of procedure and process. Optimizing the environment before you spend anything on technology is a priceless investment, and can show that you can indeed learn from an excess of teachable moments still occurring daily.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.