You can't secure what you don't acknowledge.SM

Wednesday, September 17, 2008

Just throw some more money at the problem - that'll fix it

Yesterday, the Cobb County government school system - the county where I make 99% of my retail purchases - had their wish fulfilled when voters passed to renew the current special purpose local option sales tax (SPLOST). This in a county where the government schools are wrought with fierce politics and wasteful spending. I know not only because of the stories I read but also because I've seen it first hand. I know some former employees as well. I've also worked in several other government school systems in the Atlanta area and I know what takes place at the central office level. The stories of poor leadership and disdain for taxpayers are unbelievable.

Anyway, the mentality behind the renewal of this tax in here locally for me - and all across the nation - is "if we spend more on students we'll get better results". This myth has been busted over and over again. The same goes for information security. Very often I see organizations with fancy firewalls, patch management systems, employee monitoring software, wireless IPSs, network access control systems, and more. But these same organizations very often have firewall change management issues, exploitable patch-related vulnerabilities, users doing whatever they want when they want, rogue wireless systems, no proactive monitoring or systems disabled altogether - you name it. If a technical control is in place another vulnerability is right around the corner basically negating all the money that was spent to make things seem more secure.

Furthermore, based on experience the only people that really vote for more taxes on themselves in a SPLOST scenario are school system employees and certain parents that are blind to how money is being wasted in so many other places. This ignorance reminds me of how management often overlooks informations security. As with lazy voters on SPLOST voting day, management's perception of the value and importance of information security doesn't motivate them enough to get up and do something about it.

Very frustrating....

No comments:

Post a Comment