I came across this little gem of a post on IT security and can’t agree more with Mr. Bejtlich’s assessment. Here’s what he had to say on IT security and uncertified IT workers:
The myth is this: “If we just had a better trained and more professional IT corps, digital security would improve.”
…
Instead of spending money first on IT workers, educate their management, throughout the organization, on the security risks in their public and private lives.
The balance between security and business is common gray area that’s unlikely to go away in the near future. Differing ideals and philosophies towards security spread through all levels of corporate staffing and that difference in opinion often leads to security configuration extremes.
Perceptions of IT security range from paranoia to irresponsibility. Just as Richard Bejtlich blogs, the best case for striking a balance between the two is when all parties involved are educated and have a clear understanding of security and its necessity within the business.
