IT Security: Be More Boring

There are a lot of folks in Info Tech who want to make a splash. A name for themselves. I always said if you did your job right, no one would know you were there. Security pros at hacker conference: Be more boring | TheHill

Every day you get up and turn on a light. Most days that works. When the light doesn’t come on you are pissed.

Mostly people don’t want to think about the computer technology they use to get their job done. They just want it to work. When it doesn’t work they are like the guy standing in the dark. They are pissed off (and not very productive.)

Actually most of IT could stand to be more boring. Perform more system upgrades. Manage networks and userids more closely. How about deleting access to people who leave the company? Boring, but critical.

It is hard to believe that there are still a lot of media stories about the WannaCry ransomware attack in May, but a lot of executives are screaming about how “they had no warning” or something. Because Microsoft dropping support for XP in 2009 or extended support in 2014 wasn’t warning enough. Or their issuing an emergency patch earlier this year for a non-supported operating system wasn’t a warning. (And any bets on how many actually did get warnings from their in-house IT staff, but those damn IT folks are always asking for something!) This is one of the better stories as it comes out of what is happening at B-Sides/Black Hat/Def Con.

After a year of high-profile attacks that took advantage of security flaws most researchers no longer find exciting, many are encouraging all security professionals and policy makers for a return to basics – even if it is less glamorous.

“There is a lot of hype in cybersecurity,” said Mischel Kwon, the former head of the United States Computer Emergency Readiness Team (US-CERT) and former chief information security officer and director of the Justice Security Operations Center at the Department of Justice. She currently heads the firm MKA-Cyber.

“There’s a lot of B.S.,” she said. “The easy things aren’t sexy. We keep talking about the same problems, and we know what we have to do to solve them. Why don’t we?”

We keep talking about the same problems because actually managing infrastructure is not sexy. Building the latest new thing is sexy. People want to make a name for themselves. Rise in the industry. Or something. It is one of the reasons I am no longer in IT. Beating my head against the same brick wall got old after 18 years. After years of obsolete hardware and software not getting updated, after support not being funded for critical infrastructure, you begin wonder why you are bothering, when no one else seems to care.

As for any executive in any industry that claims “We had no warning” or “This was a wake up call” they should be fired, because that is a bold-faced lie. They have had a lot of warning. They just believed that they knew better than those poor lowly schlubs in the IT department. What could they possibly know about what might be important to the business?