In this country, people grow up assuming that the aim of any challenge is to surmount it. Specifically, tests are only there to show you can do well on them. And, as you quickly learn after you get your information systems degree and get experience in the day-to-day world of IT, one of the most frequently tested areas of corporate technology is security. But maybe passing information security tests isn’t all it’s cracked up to be.
A quick look at security statistics shows why the topic is under such scrutiny. According to the United States Computer Emergency Readiness Team (US-CERT), cyber assaults reported by parts of the federal government grew from 5,503 cases in 2006 to 41,776 last year — a jump of 750 percent in five years. According to Symantec’s Internet security threat report for 2010, the number of new vulnerabilities was 6,253, with 14 new zero-day vulnerabilities, with 260,000 identities exposed per average data breach from hacking.
Of course, any IT department will want to do well on security audits, to know that the company is protected from attack. But is that really the best approach to take? As Nemertes Research founding partner Andreas Antonopoulos notes, if your organization never fails a security audit, there are only two possible reasons. The first is that you have perfect security. But, really, that is virtually impossible. Every machine and system with the latest patches? No zero-day vulnerability in existence? Each employee using strong passwords and never giving away any information through social engineering? Not a chance. The second reason? You’re not trying hard enough to fail.
According to Antonopoulos, Nemertes found that 36 percent of companies had suffered a security breach, but only 15 percent had failed an audit. More than half of those that suffered a breach might have thought themselves protected because they had passed their audits. Security audits should be a tool — a tough one that unmercifully batters a company’s defenses to see if they hold. If companies find that they suffer security breaches while not failing security audits, then something in wrong. It is the audit that should uncover the flaws that will crack under pressure. As Antonopoulos notes, a company can expect a security event at least once a year and a serious breach every three. In that context, your company should be failing audits that uncover problems in your security systems and procedures.
If not, then perhaps the testing is too easy. Perhaps an internal group or even a security consulting firm treats the company with kid gloves. But IT executives and administrators must create an atmosphere where learning from failure is possible and even encouraged. Failing an audit should become bad news that leads to good news, while passing an audit, although gratifying, always has the chance of leading to something worse.