Comments on: Don't trust security to techies alone, Gartner says

Businesses should no longer let IT staff dictate how a company secures itself, analyst firm says.

Utter nonsense

The most dangerous person in technical matters is someone who's 'kinda' a techie. Someone who 'thinks' they know the topic, but doesnt realize they dont. Much of my career has been fixing major mistakes people like that make.

If you want a secure network, the last thing you want to do is hand the job over to Dilbert's pointy-haired boss.

I second that

enough said.

"People Like That"?

Undoubtedly, the configuration of a firewall appliance or an IDS should only be done by someone who understands how to properly configure the product or device. However, it's a grossly false assumption to believe that just because a person understands what a port filter is, they can also understand the big picture of regulatory compliance, best practice implementation, and risk-threat profiling that makes the port filter necessary in the first place. Yes, some people can do both -- but not many. If you're one of them, well then, bully for you. If not, you'll need to learn to recognize the value of security management and security implementation teams working together.

Security management is a *business* function; technology helps to facilitate it by providing mechanisms, but without a governance framework (such as policies, standards, sanctions, and the management structure to back them up) and assurance mechanisms (such as risk management), which are driven by *business* factors (not technology), your security program will have little chance to meet the real needs of your organization.

No doubt, implementation of security products and tools requires proficiency. But similarly, you don't need to know how to configure a port filter in order to develop a comprehensive security program -- instead, you *do* need to understand how to analyze information assets, assign value, and recommend solutions to mitigate threats. These are analytical *business* skills, not technical skills, and it's "people like that" working *in conjunction* with technical security implementers who make good security happen.

Without both types of people, the business un-necessarily exposes itself to risk, and the technical security team becomes just another unjustified IT expenditure to cull during budget season.

[The Harper]

Excellent!

This is actually a smart position for Gartner to take. If you think about it: What are two functions that can not be safely farmed out to India? Managing a company's firewall, and dictating that company's security policy.

So if you are one of the "sheep" companies out there that realizes that you just HAVE to outsource your entire IT department to India, Gartner's news is excellent! Now, you can still offshore your entire IT function, and when it comes to firewall and security management: Just hire an MBA!!

Or better yet, hire a Gartner analyst!!

A deluded viewpoint

Software Analysts, Team Leads and Project Managers often have the best view of the business process from an IT standpoint. Organizations facing the problems aren't going to solve them in the manner outlined above, as no business major is going to understand the intricacies of electronic security.

[msims]

Leave data and net security to the IT pros

Turning the management of data and net security infrastructure over to senior management in any business is a recipe for disaster. Most may just have MBA's without technical computer backgrounds and lack the intensive training that's required for successful MSCE's.
Companies are starting to see this move as just another cost cutting ploy to reduce money that's realy needed for maintaining security or intranets and extranets as well as the secured data that's stored and accessed by millions of people worldwide.

Security is not just a set-it-and-forget-it onetime event its an everyday reoccuring challenge to patch, configure and implement the security needed for the everyday changes in security breeches and viruses which invade corporate datacenter servers everyday.

Letting an MBA manage the IT security system is like letting a 5 year old kid play with fieworks.
The realm of the MBA is strictly running and maintaining every business aspect whicle that of the IT pro is to secure and maintain the confidence and trust of customer and business data.

To ask an inverse question Should an IT pro be concerned about profit margins at all? No. That's the job of the MBA and neither should an MBA futz with the network of which the IT pro has many years of experience building and manitaining it.

Let the MBA's worry about the profit margins and ream through their spreadsheets and leave the security patches and viruses to the IT pros who have years of IT training and expertise know how to configure the systems best.

[alek_nedic]

concerned about profit

http://www.analogstereo.com/vacuum/miele_flamenco.htm

Written like a true anti-geek...

I spent time working under a CIO/CFO that knew the numbers well, but didn't understand the function of security. I now spend time in the company of computer hackers to hone my skills for security. I can tell you one thing for certain, if your plan is to cut back on security spending, I have some friends that will be able to travel the country for a few more years, speaking on the lax security they find in the many companies that they consult for.

Your company's security is only as good as the amount of money you put into it. No system is truly secure, only fortified enough to make an adversary go away and find other pickin's. Given time, any system is vulnerable. I do agree that there is a fine line dividing adequate security and overkill. There is also a pricetag on the downtime you get when you are brought to your knees by some kid in germany who decides to make your server a warez server, based on some crack that microsoft hasn't issued a patch for yet. I wouldn't hand over the reins to an MBA any more than I should be given control of the books. We all have our place, and mine is securing your borders, patrolling the network and watching for the next event. Your place is finding ways to bring in more money, not cut my budget to the bone to make your bottom line look better.

I use the pronoun "I" because I cannot speak for the masses. I speak on what I know from my experiences, and those of my colleagues. If your experiences say that you should cut back on security, putting a pencil pusher in place of a security professional, then by all means, do so. I or one of my people will be coming to see you in a year or so, putting the pieces of your fragmented security back together. Hopefully, you will have moved on to another venue, and we can go about making sure things are the way they should be.

I have a better idea. Meet me in the middle. I'll listen to your ideas, if you will listen to mine. Understand that I spend what you might think is a boring life pursuing what I love, security, and it is what I do. I am a professional. If you'll take me seriously, I will take you seriously. If we can work towards a common goal, one that we both agree on, then we might just get some where. Otherwise we'll probably argue, and I will make it where you can't get your stock quotes when you need them most. :)