The Failure of Information Security

Noam Eppel writes to share a recent editorial regarding the current state of information security. From the article: "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."

PEBKAC

[Opportunist]

I live and thrive on the inability of people. It's my job to find and eliminate trojans, worms and other malware.

Time and again I see proof that people, smart people, people with a masters degree and Ph.D., lawyers and bankers, managers with a six to seven figure annual income, become mumbling fools in the presence of a computer. I don't know what it is that those magical boxes emit, but it must be akin to the stupidity ray used in Zak McCracken. Lucas got it wrong there, it's not transmitted through the phone line, it comes out of your computer screen.

Now the argument comes "Then don't allow them to f... up the system, lock them down and take away their permissions". Anyone who ever said that statement never worked with managers that have egos that require their own offices. Don't you, grunt, DARE to take away any options from him! He is the master of the world, he is the chieftain of chieftains, and YOU dare to tell HIM what he may and what he may not do?

Security is nice on paper, but it is very hard to do in reality. Not so much because its technicalities. The human factor is by far underrated in IT sec.

Re:PEBKAC

[ObsessiveMathsFreak]

One minor quibble: it's PEBCAK (Problem Exists Between Chair And Keyboard).

Either is fine. The product of stupidity and computers is commutative.