Security Myopia and Brushes with C-Level Insanity

Over the past few years, I've read many articles bemoaning huge losses due to corporate security incidents. I would often ask myself, "How could this have happened?"

After recently attending a security conference, I believe I've found the answer.

I sat in a room full of members of the C-suite. For those not up on current jargon, these C-Level folks are our CISOs, CIOs, SOs and so on. As we went around the room and heard from each member, I was nearly sickened by what I heard.

When asked about the architectural approach to creating a secure environment, they were clearly five years behind the curve. Proof of that came from one CISO that convinced himself that MySpace didn't lose a cent when user provisioning failed. He was steadfast in his belief that losses associated with provisioning were much higher for his brick and mortar organization than for Web 2.0 platforms.

One individual stands out in my mind, though. With pride, he stood up and described how his organization just deployed this great appliance that would alert him when it saw a "bad packet". He went on to say that it had 3,200 signatures for known "bad packets" which was better than the others he tested with detection for roughly 800 "bad packets".