Shane's diagnosis is on the mark, but he is too sanguine. Security is an area in which every CIO and the CEO to who he or she reports feel a need to be perceived to be doing something, even a lot of somethings; but few of them have any clear notion of what to do, how to do it, or how helpful doing it is likely to be.
A case in point is that I just discovered, last week, a shop that is now, in 2014, beginning to use vanilla DES because it is "starting to open up its internal network to the internet". (In fact it did so in 2003 without being aware of the security implications of what it was doing.) There is no easy solution to problems of this sort. The recommendations of independent professionals and their organizations are perceived to be too iconoclastic (and expensive); and the recommendations of governments are never, let us say, disinterested. Santayana observed that those who will not learn from history are condemned to repeat it; and it is now clear that every large organization must usually itself suffer a Target-like disaster before it takes action, much of which, even then, is likely to be ill-chosen. John Gilmore, Ashland, MA 01721 - USA ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
