It suits vendors to present security as a technological problem that can be easily fixed with more technology — preferably theirs. But expecting fancy technology alone to solve the problem is just one of three dangerous misconceptions about digital security. Improving security means implementing appropriate policies, removing perverse incentives and managing risks, not just buying clever hardware and software. There are no quick fixes. Digital security depends as much — if not more — on human cultural factors as it does on technology. Implementing security is a management as well as a technical problem. Technology is necessary, but not sufficient.

A second, related misperception is that security can be left to the specialists in the systems department. It cannot. It requires the co-operation and support of senior management. Deciding which assets need the most protection, and determining the appropriate balance between cost and risk, are strategic decisions that only senior management should make. Furthermore, security almost inevitably involves inconvenience. Without a clear signal from upstairs, users will tend to regard security measures as nuisances that prevent them from doing their jobs, and find ways to get around them.

Unfortunately, says Mr Charney, senior executives often find computer security too complex. "Fire they understand," he says, because they have direct personal experience of it and know that you have to buy insurance and install sensors and sprinklers. Computer security is different. Senior executives do not understand the threats or the technologies. "It seems magical to them," says Mr Charney. Worse, it's a moving target, making budgeting difficult.

A third common misperception concerns the nature of the threat. Even senior managers who are aware of the problem tend to worry about the wrong things, such as virus outbreaks and malicious hackers. They overlook the bigger problems associated with internal security, disgruntled ex-employees, network links to supposedly trustworthy customers and suppliers, theft of laptop or handheld computers and insecure wireless access points set up by employees. That is not surprising: viruses and hackers tend to get a lot of publicity, whereas internal security breaches are hushed up and the threats associated with new technologies are often overlooked. But it sets the wrong priorities.

Detective Stories
A final, minor, misperception is that computer security is terribly boring. In fact, it turns out to be one of the more interesting aspects of the technology industry. The war stories told by security consultants and computer-crime specialists are far more riveting than discussion of the pros and cons of customer-relationship management systems. So there really is no excuse for avoiding the subject.

Anyone who has not done so already should take an interest in computer security. Unfortunately there is no single right answer to the problem. What is appropriate for a bank, for example, would be overkill for a small company. Technology is merely part of the answer, but it has an important role to play.

...Next article

• « previous
• 1
• 2
• 3