The Problem with IT Security: Why We Are Losing the Battle

IT investment in security is incommensurate with the emerging threats. Most organizations continue to approach security as if the enemy is the former Soviet Union instead of Al Qaeda. During the cold war our defense posture relied heavily on nuclear deterrence, which meant building deadlier bombs and putting them on payload systems that could incinerate entire cities in a flash. On 9/11 it took only a handful of Islamic crazies to bypass our entire security apparatus, shaking our foundation and nearly bringing the entire country to its knees. 

In IT the highest spend continues to be in firewalls and anti-virus software. These are the equivalent of ICBMS swallowing up more and more of the security budget. Both are needed but they don't come close to addressing the new generation of risks. As Adam Muntner of QuietMove notes: "For most organizations -- even some Fortune 1000 companies we work with --- security spending is not even close to be being in line with the risks and threats they are trying to address."

The 5 Big Emerging Threats are:

1. Trusted Users and Partners. We are exposing more and more data to more and more "trusted" people without proper monitoring and authorization.
2. Web Application Vulnerabilities. According to a Gartner estimate 75 percent of current attacks take place through application vulnerabilities. Most organizations, particularly software developers, remain clueless about application security.  
3. Missing or Stolen Devices. Enterprise data is now ubiquitous in everything from unencrypted laptops to mobile phones.
4. Custom Malware. Signature-based anti-virus systems are completely ineffectual against custom malware. Traditional armies wear identifiable uniforms. Guerillas and terrorists don't.
5. Social Engineering. How many of our even "sophisticated" users fall prey to phishing attacks or share their passwords with strangers?

Most security organizations are fighting the old enemy and it's only a matter of time.

Source: Baseline Magazine, June 2008. "Closing the IT Security Gap."

A Ridiculously Simple View of Enterprise IT (Higher Education)

For those responsible for technology planning I thought I would provide a Ridiculously Simple View of Enterprise IT, particularly from a higher education lens. The diagram below is intended to provide the major functions of an enterprise IT organization in higher education. In future posts I will drill down in each area to illustrate key challenges for those involved with strategy and planning. I will also provide another diagram soon for what I call enterprise Business IT (eBIT). Most of us know that true technology planning is business planning. But how to represent that? Stay tuned.

Online Headcount Growth - Minnesota State Colleges & Universities

Here's a chart showing our growth (Minnesota State Colleges & Universities) in online headcount from FY'2004 to FY'2009 (projected). I am very proud of my team that supports the underlying enterprise technology and infrastructure, which at the core is the Desire2Learn Learning Management System.

Last calendar year our uptime for the system, which supports more than just online students, was 99.98%. 

Winners never quit, and quitters never win

Joe Henderson's reflection on an old locker-room slogan in "Early Miles", Marathon & Beyond (May/June 2008) magazine:

"The first level of winning is completing what you have set out to do, be it a mile or a marathon. By finishing, you've beaten everyone who started but dropped out early, as well as those who hadn't started and never would. The second level of winning is improving. You're granted about a decade of improvement, and getting faster or going longer doesn't require beating anyone else, only a time or a distance. The third and highest level of winning is continuing after improvement stops, as it surely will if you run through enough years. Slower and shorter running still beats no running at all. Winners never quit; quitters never win. This locker-room slogan means much more to me now."

Joe's observations can be applied to life. Finish what you start. Continue to improve. Make it a habit and be relentless. Joe Henderson's weekly Running Commentary is worth checking out.

Managing Your Privacy Settings in Facebook

I have started to create a series of mini-tutorials on managing your privacy settings in Facebook. The first two are available now:

1. Tutorial 1: Facebook Privacy Settings
2. Tutorial 2: Facebook Privacy Settings

One of the best ways to protect your identity information and intellectual property in Facebook is to take personal responsibility for managing your privacy settings. No matter how Facebook comes out ultimately in terms of stating formally its Terms of Service, if you lock your privacy settings properly there will be a strong presumption that your information will be shared and used by Facebook consistent with your wishes.  Zuckerberg has said publically that: "In reality, we wouldn't share your information in a way you wouldn't want." The only mechanism to express what you want is to use Facebook's privacy settings.