Time to change the way people look at infosec

It's hard to know how well we are doing in the fight to keep our systems secure. Sometimes, it seems as if we've got the hackers beaten, and at other times, we seem wholly vulnerable to anyone who wants to try their luck.

2004 was a strange year, where we saw some spectacular successes, accompanied by some of the most devastating and fast-moving worms and viruses. And while we saw some real progress made in the technology we use to protect ourselves, the most damaging threats of the year came from the Sasser worm, written by a German teenager.

The end-of-year survey of our readers – as representative a bunch of people as you are likely to find – confirmed the mixed picture. They were split down the middle between being optimistic and pessimistic, their attitudes coloured in some respects by the availability of funds, but not entirely so.

The main fear seems to be that the hackers are getting cleverer and more cunning. And with organised crime also becoming involved, hackers are not starved of funds (as many of our readers say they are).

However, I can't help thinking that many of our problems are self-inflicted. The mad dash to get new systems up and running means we constantly cut corners. Many online systems fail to make fundamental data input checks, making them open to SQL injection attacks. System patches are applied without proper testing. We update live systems to save time, rather than going through the tedious procedures that keep us safe, but cause delays.

Security policies are allowed to gather dust because they get in the way of the pace of commercial life. But when the waste matter hits the air-conditioning, who gets the blame? You, of course.

Which is all the more reason why information security people have to get their voices heard in the organisation. But how?

Well, as this month's cover story demonstrates, there are ways of changing the way people view you in the organisation. The article deals with a training course that's been running for some years at Cranfield School of Management, and which has become highly successful in transforming frustrated infosec professionals into effective political operators.

The basis of the course is an understanding of psychology – both the psychology of the average IT person, but also how people think in other departments – in the boardroom, HR, the marketing department, and the rest of the business.

Those who have attended the course say it equips them to work effectively with other disciplines in the business, adapting their approach to their specific audience. These people will be the ones who succeed in winning the funds and the support to put IT security in its proper place during 2005.

Ron Condon is editor-in-chief of SC Magazine