...the problem here was that the Titanic indeed did meet all of the safety requirements of the time. And that a big part of the problem was that the safety requirements were drafted in 1894 at a time when there were rapid changes and in the size and design of ships of this kind [...] the bottom-line was that when the Titanic was reviewed by the safety accountants, they took out their check-list and went over the ship with a fine tooth comb. When the day was done the ship fully met all the safety criteria and was certified as safe.
This is where I see the parallels between root causes of the Titanic disaster and the odd situation we find ourselves in today in terms of IT security. Security by checklist –especially out of date checklists—simply doesn’t work. Moreover, the entire mental framework that mixes up accounting practices and thoughts with security discipline and research is an utter failure. Audits only uncover the most egregious security failures.
Compliance is a double-edged sword. For many security teams, especially those who work in an organization without a CISO or CSO to help cut through red tape, actual enforcement of policy is hard to do. Many of us aren't given any "teeth" so we're restricted to a bunch of hand waving and hollering and tantrum-throwing whilst being unable to actually make things more secure. Compliance can be used to acquire funding and hopefully get some traction on enterprise security initiatives. Security needs more than compliance, though. This is a great (but overtly dramatic) example of that.
Amen to that. In organizations where information services people are either divided either by departments or by geographical separation. The problem of implementing change with no upper support is like trying to move the 400 Lb gorilla with a political equivalent of a spatula.
ReplyDeleteThis flows into some issues pointed out by the book "Into the breach" which illustrated the need to make usable changes instead of just getting another 400 LB Gorilla to force the other Gorilla's to move.