Top 10 reasons your security programme sucks and why you can€™t do anything about it


In the security industry we like to fool ourselves into thinking that we can materially impact an organisations security posture.

We believe that new tools, a new framework, a new regulation, a new school of thought will lift the veil of organisational ignorance and enable us to attain the state of enlightened security practitioner.

But as we trudge through the mud and haste of our increasingly digital lives we embrace the continuity of failure that is security, only we have more of it…more threats, more tools to deal with the threats, more people to deal with the tools, more process to deal with the people, more adoption of technology leading to more threats, which of course leads to more of the same – more fail.

Maybe it is time to stop fooling ourselves and recognise that to move forward we have to know our limitations and start to question the status quo that so many others rely on for their livelihood.

So as you stare out the window, morning cup of coffee in hand, a tear rolling listlessly down toward your chin and as your sitting there pondering what went so terribly wrong take a moment to reflect on the top 10 reasons your security program sucks and why no matter how much you kick and scream it will continue to suck…

10. You have no idea what your environment looks like right now, even though you think you do.

9. Even if you did, which you don’t, you really have no ability to affect change across your environment in a timely manner anyway.

8. Your company is far more concerned with shareholder value than information security, as they should be, but damn it sucks to have to explain to the CFO why you need to use tempest shielding paint, a man trap with armed ninjas and a moat of hungry crocs to protect the server room.

7. Your executives follow the latest hyped trends no matter how much extra work it will create for you and your team, supersoacmdbfragilisticloudcomputvirtuaiphonexusalidocious.

6. The tools you use are ineffective (they don’t really work) and inefficient (they cost way too much), not to name any names but they go by the acronyms H-P or I-B-M or C-A or B-M-C.

5. Your security vendor is lying to you and why shouldn’t they, you believe them.

4. Your security and operations teams hate each other, hell they don’t even speak the same language.

3. The bad guys are more interested in attacking you then you are in defending yourself, at least they work longer hours.

2. Your dealing with the exact same problems you dealt with a decade ago, only it seems so much worse today then back then.

1. You do not believe that your organisation suffers from any of the above problems.

"Recommended For You"

The criticality of basic IT security hygiene Schneier: Lots of security software is 'snake oil'