Saturday, April 4, 2009

Less Compliance and More Reliance

One of the most frustrating situations a "true" security expert has to face is organizations who approach us who obviously are merely interesting in implement security as a means of complying with "something". That "something" can be a legal mandate, a corporate policy, or a reaction to something that made the news. It is more or less security theater.

In the current tough economy we are now facing, I have seen a slight drop in organizations wanting security theater, since those interested in compliance are currently more interested in keeping the doors open. Organizations wastefully spend budget for what amounts to nearly useless security as a means of checking an item off of a list, but the item is not even on the list of some organizations right now. In some companies the item may be at the bottom of the list, but the items above it are so enormous, that it may as well not be on the list at all.

What this really means is that organizations looking at security are either being reactive (reacting to a real problem), or are proactively looking at security because they are convinced that a lack of security will lead to huge problems. These organizations do not want a checkoff security item, they want REAL SECURITY.

What this means for the industry is that security organizations who are providing little more than great buzzwords and complicated jargon to their potential customers are going to end up bankrupt, if this continues.

...at least I hope that is what happens

Lots of companies get away with pulling the wool over our eyes all the time, but they eventually get exposed for what they are. I hope we all become more intelligent about security and can all work together to weed out the trash.