One of the hardest things about security is getting people
to understand and to implement it. This can be small simple things or something
more advanced. For example, most of us realize that having a complex password
is a good thing but what about changing that password on a regular basis. Work
probably forces you to change it quarterly but when is the last time you
changed your Amazon password? Or the password for your banking account?
Deciding what kind of security system is needed is part of
this process. Some things such as a network firewall or SMTP gateway are easy
decisions. They are de facto needs (firewalls) or an obvious problem (blocking
spam via a SMTP gateway). Deciding to protect against something that hasn't
happened to you yet (your Web site being hacked as an example) takes a more
forward thinker. How much does having an automated Web application security
solution really help? Are you wasting resources and time testing for something
that might never affect you? Or will you be glad to have it?
If you think about it, security is an insurance policy. It's
something that you spend effort deploying and implementing in order to protect
yourself. When you don't need it, you feel like the time and money was wasted.
At the same time though, when it is needed, you are eternally grateful.
Yet at the same time security is a preventative tool. If you
regularly lock your car, then nothing is stolen (or at least not as often). If
you've fixed all the holes in your Web applications, then there is no opening
for the hackers to get in. So while security might seem tedious and at times an
overkill, it is still better than cleaning up the mess of lost or stolen data
afterwards.
-
Mike Kazmierczak, Cenzic, Inc.
Think this is a good time to buttress this article by pointing to a good example of how much it can cost not implementing security up front. I think the TJX data loss fiasco is now estimated at costing them around US $150 million. Security is a matter of assessing risk, doing a cost vs benefit analysis and then implementing what you need. You dont need to spend a million dollars on IT security if you assess that a loss will only happen every 2 years and cost you $5000 in cleanup. But you still need to do that up front assessment and implement security up front. Else you could be up S#^t& creek without a paddle really quickly!
Posted by: R. Kerns | August 28, 2007 at 08:23 AM