Thursday, January 05, 2006

How are you spending your security dollars?

I was reading some comments on another blog today, and one comment in particular caught my eye. A retired CIO lamented the fact that "millions of dollars" were spent providing security to Windows systems...but he put a Mac on the network and never had a problem. Yeah, you read it right..."millions", with an M.

Ugh. My dooty detector goes off, screaming like a banshee, whenever a C-level executive makes comments like that. No, I'm not going to break things down to a para-religious argument over who's OS is better. That's not where I'm going with this one. What I am leading to here is, this sounds like a training issue to me. It sounds like the knowledge level of the IT staff has...shall we say...room for improvement.

Now, I have no doubt that there are some really bright, very knowledgeable IT guys and gals out there, so if this doesn't apply to you, feel free to leave the room.

I was a security weenie at a company once, and the senior admin guy had a bunch of guys working for him. The senior admin guy went to his desktop support guy, a legitimate Dude Among Dudes, and told him, "we can't promote you to an administrator, like I promised, until you get your MCSE." I heard that and thought it was funny...not laughing funny, but "here, try this, it tastes like crap" funny...because none of the current IT administrator staff had an MCSE. Yep, you read that right..."none", with an N.

My point of all this is that this Dude, who'd helped me with virus eradication, was knowledgeable and had a good head on his shoulders (and still does). The admins who wouldn't let him play in their reindeer games, botched pretty much every incident they responded to, had no documentation and had no network diagram. They didn't even know where the egress points were...the ones that bypassed the firewall...even though they'd set them up.

Okay, getting back on track here...where was I? Oh, yeah...training. My thought is this...when it comes to securing any network, regardless of operating systems and applications, you need to start with documentation. If you don't have it, then getting it is going to be a very necessary exercise. This is a good place to start when identifying your risks. Why? Because you have to know what your risks are so that you can start mitigating them...right?

What I'm getting at here is that spending "millions of dollars" to secure Windows systems probably wasn't necessary. If you don't know what you're doing, then of course trying to secure a network is going to be expensive. I simply think that that kind of money would be better spent on things like hiring better qualified personnel, and training the ones you have.

Oh, one other thing...if you're reading this blog entry, then let me throw this out. There are training opportunities available from a variety of sources, at a variety of price points. But what would you say if you could get your entire staff (like, 12 - 20 people) training, with that training targetted to your needs (for your environment), for less than it takes to send 2 or 3 people away to some of the bigger training events? How about if that training led to follow-on training and services that continued to apply specifically to your needs? Would you be interested in something like this?

No comments: