2 min read

How IT departments pour security dollars down the drain

Neils Johnson

IT departments spend hundreds — maybe millions — of dollars a year on network security systems to protect the organization from ever-increasing threats.

But a Symantec Corp. technology evangelist says the worst thing they do is sometimes turn some — or all — the capabilities off to boost network performance.

“There’s illustration after illustration out there that point to huge mistakes on the part of IT saying turning a dollar is more important than security,” Neils Johnson said in an interview Wednesday at the SC Congress security conference in Toronto. “It may be in the short term; long term that philosophy is going to own you.”

The second biggest mistake IT professionals make is believing anti-virus protection isn’t needed. It has moved down the list of priorities, he said, but without it the organization is vulnerable to virus-born attacks.

Finally, many don’t do the basics like keeping systems patched. At least 75 per cent of network breaches wouldn’t be an issue if security-related software is up to date. he said.


Johnson was at the conference to give a spirited talk on the need for security professionals to focus on risk definition and mitigation rather than IT infrastructure.

He doesn’t suffer from opinions — or energy, striding across the stage and letting loose with entertaining broadsides:

–”If your priority is dealing with risk from an infrastructure perspective, you are so behind the curve. You have to deal with (protecting) the infrastructure, but today it is so not much about the infrastructure” but protecting corporate data;

–”Bad things happen to good people:” Risk comes from everywhere — the threat landscape, HR, litigation — and security pros need to ensure they can have IT systems up and running after any malady hits;

–”I like people … but people by and large bring with them three strikes: They are inefficient, ineffective and error-prone … Anything I can do to put an air gap between the information and the infrastructure, and protect both from people, in my mind is risk mitigation. I want to eliminate people to the best of my ability from the equation.”

–Employees, customers, supplies, vendors are “egomaniacs” who want their information on their screens and don’t care about separating personal from corporate data. That’s IT’s problem, the figure.

–People talk today about big data, but when data mining huge amounts of data becomes common it “will change the way you and I consider security from an overall perspective.” Target number one will be the huge repositories of data — on premise or in the cloud — organizations have been stockpiling. And that will impact today’s careful plans for disaster recovery and business continuity plans, he suggested.
One problem is organizations have departments that don’t work together, he said. “Someone has to stand up inside the organization and say it’s time to stop and understand we’re all going to play nice in the sandbox. Today that’s nearly a requirement. Tomorrow it will absolutely be one.”

Read the whole story here