Does your firm have a Snowden?
With the Edward Snowden scandal still fresh in the minds of many, we know just how much damage a disgruntled employee can wreak if given the impetus to do so.
In fact, it is very easy for anyone in IT to sift through all the data coming in and out of an organisation's network should they be minded to do so. The enterprise can only be as secure as the ethics IT administrators live by. Administrators are privy to far more data than they need to be to carry out their role – and, to be honest, the same argument can be made about the humble user.
The common "insider threat" problem means that organisations should operate on a "least privilege" model that means people have access to the minimal amount of data possible, and that data access is continually monitored.
Consultants taking the credit, and dodging blame
From time to time, consultants can be brought in to help implement particular systems. When it all works, it's great but some consultants will try to take all the credit for the implementation.
Equally, if things go wrong with a project, these consultants can put the blame on IT staff and argue that the system works elsewhere, and the problem lies in how local IT infrastructure is implemented.
IT certifications don't mean a person is good at their job
Recruiters and human resources personnel use certifications as a way of trawling through the hundreds of job applications they get when sourcing personnel for roles within the IT organisation. It's a quick fix that matches up people to roles. But old-timers will often lament that people hired on the basis of how many certificates they've got may not have the real world experience to actually do their jobs.
While a certificate may get someone through the door and show that they are dedicated to a career in IT, it is not that great a gauge that the person is any good at their job.
There is no perimeter in IT security
With infrastructure there is often talk about guarding the perimeter from hackers. The truth is, there is no perimeter and believing there is one is like believing in the Easter Bunny.
And if there was a perimeter, where would it be? Organisations and security vendors can't really define where the perimeter is. It could be the endpoint, the user or where the physical network actually ends. Putting controls on any of these will give an organisation a false sense of security as hackers could simply find another way in.
And if anything, the cloud makes this worse with applications and servers running outside of the traditional network, but still interacting with users within that network as well as those outside it.
It is better to design security with no assumption of a perimeter – for example, guarding a firm's data is a better bet for security.
