General discussion


Why companies must share the responsibility of security

By debate ·
Who do you think is ultimately responsible for secure software and general information security? Do you agree with Jonathan Yarden that companies must share this responsibility? Share your comments about whether companies should focus more on information security, as discussed in the July 12 Internet Security Focus e-newsletter.

If you haven't subscribed to our free Internet Security Focus e-newsletter, sign up today! Click this link to subscribe automatically:

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Security is a multi-dimensional problem

by h.fitch2 In reply to Why companies must share ...

Jonathan Yarden certainly has a valid observation regarding corporate responsibility for applications - even padlocks and keys can be used in insecure manners. However, there also is a great deal of responsibility left in the bag for software developers and suppliers to share. Incomplete analysis, design, coding and testing of software (and hardware) produces processes that have loose ends, spaghetti quagmires and meaningless error and help messages - padlocks that don't lock reliably. Finally, marketing and sales hyperbole produce expaectations that cannot be addresses, let alone be met - the phantom padlocks that miraculously lock and unlock themselves perfectly without human intervention.
The answer is knowledgeable, responsible, professional behavior at all stages of the process. When security fails, "someone" obviously fail to perform adequately, but it might have been anyone in the chain - all must perform adequately for everyone in the chain to succeed.

Collapse -

Kudos Jonathan

by AnswerMan In reply to Why companies must share ...

That's all I can say. VERY well written. You realize of course that they still won't do anything until, they can't get their email, or the employees can't prepare a report that they need for a board meeting in the next five minutes, but ya........ they spend so much more on such unimportant things, turning their back on security.

I fear they will continue to do so, until it hits them in the wallet, AND bites them in the dangly bits.... After the lay-offs, blamestorming, head-chopping, and the dust has settled.... they may take another look at that "internet security stuff".....

Collapse -

With the producers of OS

by l'ancien In reply to Kudos Jonathan

But when cars show major failures, they get a factory recall, or get pulled out of production.
Major OS?s are marketed with known serious faults and sold with false promises ?thrust us this time we got it right?, the public is then forced to implement fixes or lose its investment.
After roughly 20 years 5 major changes DOS,W3X, W9X, WNT, W2K, they still haven't got it right.
I agree an OS is a complex tool but so are cars or planes, or a pharmaceutical drug but they are getting safer.
Get back to basics really fix it. Before ramming a new model down our throats, and threatening to stop support of older versions. The public is not looking for a newer faster version with more possibilities, we are barely able to use a third of the features we have now.
So were does security responsibility ultimately lie, with the producers let them finally take responsibility, for the product they sell. Then we the drivers can get on with safely getting from A to B. We may have to implement changes to the roads and signals but will be able to rely on the vehicle.

Collapse -

Security is everybody's responsibility

by stress junkie In reply to Why companies must share ...

I've been a system administrator since 1985 and I've
run a bunch of different platforms in the workplace:
MS-DOS, TRS-DOS, Xenix, all versions of Windows, as
well as some better designed products like VMS,
Solaris, and Linux. I remember when Kevin Mitnik said
that most of his shanigans could have been stopped if
the system administrators had simply implemented the
security recommendations in the documentation. That
perked me up to security. Working for the military
administering machines that kept classified
information enhanced my interest in security. After a
while of thinking about it you get to the point where
you automatically do a security audit when you walk
into a room or look at a computer configuration. So,
wherever I've worked, whether as a direct employee or
as a temp/consultant, I've always tried to bring
security issues to the attention of peers and
management, largely without success. It's amazing to
me the percentage of people doing this work that just
don't care.

One thing that really bugs me is when the
management of other departments do things or allow
their employees to do things that are in violation of
company computer usage policies. There is a recent
discussion about this here at TR. I just tried to cut &
paste the URL but couln't get to it that way. The TQ&A
question is titled Internet Sharing by user Gmap. This
is the URL.


My point is that managers to exempt themselves from
rules to the detriment of the business. It's all about
"You can't make me" mentality.

Other managers allow their employees to run software
on their business machines that they brought from
home or downloaded.

Combine that with the typically gutless IT management
and you have a recipe for disaster.

Collapse -

re: stress junkie

by support In reply to Security is everybody's r ...

I agree with several things said. First, it's unrealistic to expect that software which consists of thousands, sometimes millions of lines of code is going to be absolutely perfect. It's just not going to happen. People write software and people aren't perfect. I think the software developers need to be trained in how to write better and secure code, so that they can do the best job possible but it still isn't going to be perfect.

I think companies need to hold their system admins more accountable for keeping the machines in their charge as secure as possible. There is really no excuse for machines to get infected by a worm or trojan, etc. when a patch for the problem was issued weeks or most of the time a month or more before the infectant was released on the internet. In my own observance, there are a lot of lazy system admins out there and they know that their non-technical managers don't understand jack about what they are doing so they can totally bamboozle them with a load of BS about how there wasn't anything they could have done about getting hacked or infected. I've seen it happen quite a few times unfortunately. What happened to people taking pride in their work and in doing the best job they can? A few people still hold that work ethic but I've seen too many that don't. All these servers still getting infected when already available patches and readily available established security guidelines would have protected them is sad proof of that.

Collapse -

holding IT accountable

by Harold.J.Ballinger In reply to re: stress junkie

We as a company offer SLAs to our clients that guarantee that we meet certain uptimes and resolution times for any technology problem that our service agreement users might experience. If we don't meet these SLAs, we are penalized and have to give money back to the clients. I have always believed that this is the best model -- HOLD YOUR EMPLOYEES/CONTRACTORS ACCOUNTABLE.

If more companies would design their IT staff's compensation in line with whether or not they met an SLA, I believe that we would see the "lazy admin" issues disappear. (In addition, I think that it would get all of the people out of IT that never should have been in IT in the first place.)

Secondly, companies should keep their vendors and contractors accountable in the same way.

Finally, we as a community need to hold the manufacturers and big players accountable. It is not acceptable when I attend a Microsoft Briefing and the MS Representative's reply to concern about poor programming is "Aren't you guys all contractors? Don't you get paid to fix these problems? So isn't it in your best interest if it doesn't work right?"

I would much rather be spending time moving my clients towards using new technological advances that can improve their businesses than earning the same money fighting problems in the products that they already have.

Collapse -

You are.

by admin In reply to Why companies must share ...

I'm tired of listening to the wimps whine. If you don't like the OS- write your own or get a better one. I don't hear the FreeBSD or even the Unix guys whining much. It's the wimps that only know windows that do the whining and M$ has cleverly marketed this into a "social" problem that needs government intervention, which the tax dollar hungry politicians in Washington have all too gladly signed on to. The creation of the internet welfare state system with the threat of security is by far the SADDEST thing that has happened to the information revolution so far.

Collapse -

OS complexity

by shadows14 In reply to Why companies must share ...

Had just read that Windows XP has forty million lines of code. I beleive they have their hands full and could use all the help possible to protect us all. I do believe that industry and all users should lend a hand but that isn't going to happen.

Collapse -

No OS is perfect

by stress junkie In reply to OS complexity

Some months ago I read a report at CERT which stated
that no OS is buggier than another. The main reason
that Microsoft software is in the news is because it is so
popular that malcode writers tend to focus on it.
Generally the sociopaths that write malcode want to
get the most bang for their buck. I believe that if Sun
Solaris were more popular in all markets than Microsoft
then most security reports would be about Sun Solaris.

The ultimate weapon against security breaches is the
end user. Unfortunately the corporate end user is often
not interested in security and the typical home user is
not technically savvy enough to protect themself.

I have said since 1985 that the desktop computer has
got to be as easy and secure to use as a telephone or a
television. That absolutely must be the goal of desktop
computer hardware and software manufacturers.

Collapse -

Security is everyone's responsibility

by gometrics In reply to Why companies must share ...

Security is a state of vigilance and we all play a part from the lowliest clerk to the software developer to the corporate CEO. Isn't it convenient and easy for leaders to gather together and abscond themselves from this issue. Leadership is getting in there and creating the vision, entering into the pain, and working alongside those grappling with burdensome problems...not sitting on the fence and critizing others.

And we all need to let go of the idea that there will be the "perfect" product that requires no maintenance, no updates, and has no security risks. This is not the reality of our world in any arena...though we should continue to strive for the best in a constructive manner. Good article.

Related Discussions

Related Forums