Wednesday, October 17, 2007
Enterprise Architecture: Will the real IT security professional please stand up...
The folks exploiting enterprises are running circles around the network guys. Software developers write the stuff that the network guys operate. If you have never written a line of code in your lifetime, how could you possibly understand how software is exploited?
I wonder what would happen if we were to track down every CISO in large Fortune enterprises and got them to understand that folks who think they are security professionals really aren't and are simply practicing network hygiene. Are Firewalls really security devices to keep the bad guys out or are they simply network hygiene devices?
Enterprises are spending way too much on network security. If you spend 85% of your budget on the network yet 85% of all attacks are all about software, does your spend make sense?
The enterprise is getting more porous where the firewall is increasingly being opened to allow for business to be conducted in an electronic fashion. The notion of the DMZ is heavily discussed by infrastructure oriented folks without acknowledgment of where the term originated. For those who have gotten it twisted, the acronym DMZ originated in the military and described a location where you could place things that could be sacrificed. Nowadays, if you were to place your company's web site in the DMZ, could you sacrifice it? I think not.
Using network orientation to protect software simply isn't sustainable and it is time for network folks to acknowledge that the only way for security to be realized is to write software securely. While they are at it, they should also acknowledge who the true security professionals of the future are...