Approach and position on IT, Information Economy, Security II (By SGirl)
By SGirl:
It is not just the government. The whole industry doesn’t care enough to pay sufficient attention to the message that is being sent in regards to IT Security to business. (I am not even going to bother with the national IT Agenda – that is a whole other rant). It is largely cultural. And I don’t know if it will change. Let’s start with the government.
You have local, state and federal government and within this, a plethora of agencies, departments, bodies and statutory authorities that have their own areas of responsibility. Pretty much at every level and at every segment they are putting out a message about IT security.
Some push a dedicated IT security message, others push a particular message for a particular sector or area of industry….and many are pushing the same message to the same segment in different areas of the country. Their intentions vary too, and this also plays a part in what message is sent.
For some the root intent is social responsibility – for others it is purely political (eg; Internet Filtering anyone?), jumping onto topical interest bites or even just using up budget allocations pointlessly to keep jobs and play the games that governments play.
Not one though in my opinion gives sufficient information for a business of any size (small, medium and large) to understand and appreciate all that they should be knowing and doing to target new threats of doing business facilitated by technology. And few ever and consistently say things in alignment with each other. You have to wonder….
Agenda’s and priorities die and change but websites don’t – kind of ironic given IT is the topic. Messages get confused, out of date and devalue the information and integrity of the government’s agenda, purpose and message to the Australian business and consumer communities.
Until one is responsible for sending out the message, and all the others “link” to it – reducing information management costs and complexities, the current situation is not going to change, and the message will not be any clearer. (Yes I know we can get into big brother scenario discussions. I have an argument for that but I’ll leave that for another time).
I can put my hand up. I’m no newbie and I do not have delusions of grandeur. Nor do I have to much time on my hands to play and break things “‘cause I can and I am cool”…..I been never been convicted of a felony so perhaps I am not what the government is looking for. But, I could do the job, as could numerous others like the people who read this blog.
But it is not just the government that needs to wake up. Let’s look at ourselves – the security industry.
The security industry is its own worst enemy in terms of the message that is getting out to non-IT Security people about IT Security. We cannot solely blame the government and feel better about ourselves.
There are four main types of people in the security industry (IMHO flame on):
1) Those that are passionate about the security industry and genuinely care.
2) The parasites that are happy to say anything to anyone to make a sale. (You know the ones)
3) Those that were once passionate but are now so disenchanted with their lot – now just existing to pick up the pay cheque.
4) Those that have never been and never will [achieve a level of competence]. (Many delusional about their abilities, importance and actual value they add to society).
I am not going to bother about the last two. They are either basement boys now or on their way to being. But, the others have some accountability for the level and quality of message about IT security being sent.
Security professionals tend to congregate in herds (generalisation?). Why? Because they either think a great deal about themselves and their own importance and want to be around those that will listen (feeding the egos), or because they are sick of not being listened to anywhere else (like their work, social circle etc), and others in the industry, will. Security professionals attend security conferences, join security associations that preach to the converted, pat each other on the back with how hard it is and how security should be aligned to business. I could go on. 
Some join the sub-security community for the really cool and elite and then look down on others in the industry…..but then back to work in their uncool corporate cubicle. LOL…. While I have the stage again: Schneier you are not a rock star. Well maybe in your own little world…LOL.
Hands up all those reading this that are NOT a security professional, journalist writing a story for another security blog or news site, or work for a security vendor…….and the room goes quiet. (I can see you. I own your camera).
Guess what, there is an awful number of businesses in Australia that do not employ dedicated security professionals, do not subscribe to security magazines (or even IT magazines for that matter), do not attend security conferences, do not frequent blogs written by security professionals and do not purchase security management texts. Ever read the rubbish written in business journals and magazines targeting these people?
They cover a single threat or issue for example, make a big deal of it, provide a few points on what to do (usually poorly), and forget about the rest of the 300 other odd things that any half decent security professional would know that organisations should be doing. Selective content for place-fillers at times? Is there enough good information out there from us that is relevant to the audience? ie; That is not too technical, too dumbed-down, too high-level, too hard to find, or too focused on a particular area to be any good…the challenges hey?.
Similarly reading the rubbish written on the majority of security provider and vendor sites: It is always a case of let me tell you what I do, how good I do it. They have several well-placed quotes, case studies or “white-papers’ to prove how their business will save your day and make your business more profitable. For good measure they will sprinkle their site with nicely placed catch phases and topical points that won’t add anything to the end use, but will improve their Google search engine results. Long bow dudes, Long bow. It is marketing of course but at the extreme (or is it mainstream), you have the parasite security product vendors that should be reported to the ACCC. “My product will make you PCI Compliant!”, LOL…..“My Product will protect you from all known and unknown threats” LOL Symantec. Crap, Crap, Crap.
I am not suggesting that all security vendors (and service companies) care only for their own gain with little industry or society interest. A lot do, but there are good ones out there. I know many companies, the one I work for included that go above and beyond to help the customer – often to their own detriment especially when you’re up against some of the bigger boys with big budgets for questionable entertainment spend. It still happens though weird and scary to think in 2009 that strip clubs and brothels are closing deals. (You know who I am talking about don’t you Mr decision maker in a certain company. Your little secret is not a secret…..your staff all know and don’t mind telling others). How do you trust quality and care factor? But is some care better than no care with the opportunity to have that company listen to you. There are a many more that never actually see a security consultant. What information are they getting?
Back to some of the initial points. (I am ranting I know). Serious question; have you ever tried to find one site/source of information that listed all of the legislation and standards in Australia that may impact your IT and security controls for your business, or an end-to-end security framework that you didn’t have to buy or didn’t come with a sales pitch? That’s correct?
Its difficult, WTF hard in fact – and I know what I am looking for (or at least I think I do).
We can’t just blame the government for that. They have their own case to answer, but since the government has always promoted a “light touch” approach, isn’t it then up to the experts to pick up their game rather than whinge that someone else isn’t doing it to a high enough standard?
May 16th, 2009 at 11:22 pm
I’m sorry but I read half and got bored. Did you just read a psychology book and apply some of what you read on the world of infosec? You’re not saying anything new… The crappy generalisations you are making apply to most professional industries.
Might try and give the rest of the post a go tomorrow.
May 17th, 2009 at 9:25 am
I have to agree about the consistency of information being communicated to Australian business. Yes there are non security experts reading this website and I hope you don’t control my camera.
For myself it became a case of nothing and then the next day PCI! No warnings, no preparation. I know others are also in the same boat. How did this happen? Where was the minister for small business when this was happening? Why the isn’t government helping?
Poor Ralphy. Was the post a bit to long to read in one sitting? We all thank you for giving us the first installment of your response and are on the edge of our seats waiting for the next installment.
May 17th, 2009 at 6:21 pm
Local equivalent?
http://www.isalliance.org/
You hear about this but wondering from our US cousins about relevance, impact and value from this group. I am on the mailing list and it’s interesting reading at times.
May 17th, 2009 at 8:23 pm
I agree with Ralphy on this one, was bored about 1/3 of the way through. At least when Drazen Drazic rants he makes it entertaining.
May 18th, 2009 at 8:47 am
This is not the most exciting topic to begin with but valid points raised about information flowing into the rest of the world (those not part of the IT Security industry). The battle to deliver this message should not just be restricted to those organisations that deliver the paid security consulting services to businesses. Where is the government on this? In the wake lies a series of failed projects while business reliance on Information technology grows by the day. If the best we have after all these years is Stay Safe Online then there is an obvious concern to raise. If the best we can see for the future is a bunch of projects that are either doomed to fail or have little expectations of short term success and benefit, then things are not going to get better. Where is the focus on small business that drives a large percentage of the country’s economy? Who is protecting small, medium and large business alike from a competitive, security and future-proofing perspective? Is it there? I cannot see anything giving me confidence. Australia lost the plot in the early Howard years where the country went from being a regional technology leader to a regional technology follower and nothing of any substance seems to assure me that things are changing.
May 18th, 2009 at 9:51 am
How can you not be interested in this? It has even got hot gossip tidbits. Strippers and brothels! All we need is something about Rugby League players now to round it off. If the post is upsetting anyone it is probably those that may be somewhat insecure in their own roles. I am not an IT security person and I am thankful for sites like this that help me understand some things. If only for the vendor beware information, it helps me. I have to trust someone but it is hard to know who to trust. And I agree, the government provides me with little to nothing. I have no care for filtering Internets and new broadband networks will be nice but who knows what I will be doing in 30 years. I could keep plodding along but how do I know if I am heading in the right direction and someone is not going to pull back the reins and knock my business for a six. Like many of my fellow business colleagues struggling with payment card rules. It is easy to post stuff like this but how is the message getting out there? Are we to assume it is every man for himself for the immediate future?
May 18th, 2009 at 9:57 am
I have to agree about the consistency of food being eaten to Australian businesses.
May 18th, 2009 at 11:25 am
Small Business Chef; I see you thought long and hard about this topic. Where is your restaurant? Maybe a free plug here and we can come down and visit you and share some thoughts over a few vinos.
May 18th, 2009 at 3:26 pm
I honestly didn’t think that there was any small business – non IT people reading this blog (OK maybe a few SG clients). Cheers to you.
I am currently working on an IT security initiative for small businesses in Australia, (that unimportant sector covering 1.8+ million businesses and contributing 4 times that of the Australian Stock Exchange to the AU economy).
If you have any particular issues, concerns, experiences to be specifically addressed, (If they are not already), please either send them directly to DD or ask him to pass on your email address to me. I won’t be using any personal details or company identifying information.
Ta
May 18th, 2009 at 10:13 pm
In progressing this discussion further, I just thought I’d add my bit.
“My bit”.
-BG
May 28th, 2009 at 6:17 pm
[...] Here is the original: Beast Or Buddha » Blog Archive » Approach and position on IT … [...]