6 hard truths security pros must learn to live with

Nearly every company in the world has thousands of vulnerabilities that hackers can easily exploit. For anyone working in IT, this is not a bombshell announcement. It's business as usual.


Nearly every company in the world has thousands of vulnerabilities that hackers can easily exploit. For anyone working in IT, this is not a bombshell announcement. It's business as usual.

The reality is that IT invulnerability is impossible at any price point. Instead, companies spend a major portion of their IT budgets on computer security defenses to prevent hackers from taking advantage of those same everyday vulnerabilities. The theory is simple: With enough layers of security, the bad guys will look elsewhere for easier targets.

It's a dirty little secret in the industry that no computer security solution really works as well as advertised. Every "guaranteed-to-stop, advanced-security system" is doomed to failure. The promised goal shared by vendors and IT alike is nothing but a pipe dream. Our best effort is all we can do.

The following six hard truths of IT security show not only why today's security solutions fall short but how we, as IT pros and an industry, can mitigate at least some of the inevitable fallout of imperfect security solutions.

Imperfect distribution of defenses

It's hard to lay down an infallible defense when you can't put your software on every device in your environment. Security solutions, by necessity, work on only a subset of platforms and versions, and this subset is always less than what the customer has. Some solutions don't support legacy devices and operating systems. Others fail to keep up with the latest OS and devices.

If one thing can be said about today's complex BYOD world, it's that the job of securing the network went from tough to impossible. Forget that security vendors don't support every platform. The base truth is that no one, not even IT, understands all the devices that are used to connect to your network. Is that a phone, slate, tablet, or subnotebook device? Does it run Windows, Linux, OS X, or a private OS no one on staff has ever heard of? Is it a physical or virtual asset? If it's a virtual machine, will it exist tomorrow? Is it running on a corporate host or on someone's portable device? Does it belong to us or a contractor?

Even for supported devices and platforms, device discovery and deployment are imperfect. You never get 100 percent of the devices scoped by your security solution, thanks to a myriad of issues, including network or site connectivity issues, blocked firewalls, offline assets, corrupted registries or local databases, separate security domains, and OS version changes.

Add to that the political and managerial roadblocks in what is often called the eighth layer of the OSI model. Management silos, business units, departments, and systems that get exempted by default -- even if you have a brilliant idea for securing company assets, you might not be able to deploy it.

As a result, IT security must live with the hard truth that some percentage of devices will never get the security software installed. At a bare minimum, it's important that any security solution be able to tell you which devices have successfully installed the software and which are having problems. Then you can look for commonalities and try to get the software installed on as many devices as possible.

But installing the software is only the first challenge.

Advanced Threat Protection: A strategic approach against an increasingly sophisticated threat. A ComputerworldUK event, Glaziers Hall London, 14 May. Register here.

Next section: Insufficient staffing for deployment and monitoring

"Recommended For You"

Security org raises Internet threat level after seeing expanded IE attacks Microsoft will patch IE zero day but doesn't give timeline