Computerworld - I had a bad dream the other night. In it, I was sleeping in the back seat of a convertible. I woke up because the air had gotten chilly and the car was swaying. I rubbed my eyes and tried to shake the cobwebs out of my mind as I peered into the front seat. No one was driving. I scrambled over the front seat and took the wheel, only to discover that I had no control over the car. It's not that the car was careening out of control; it had a mind of its own. It was steadily taking me up a steep, winding mountain road with cliffs on either side. The road got narrower and narrower before the car finally came to a stop. I looked around and suddenly became very afraid. Then I refused to continue the nightmare and woke up.
We could spend some time interpreting it, but I think it's pretty clear that this dream represents how I feel about managing information security. I'm driving, but I don't have control; we haven't gone off a cliff, and I'm not going to be happy if we do. I have a company's information assets to protect, and I don't want to have to notify our customers that their personal information has been exposed or deliver the news that our network just got "owned." To keep the bad dreams at bay, I'm going to have to make some changes.
For starters, I had it out with my boss the other day and told her that I wanted complete control over all network security operations, including firewall, virtual private network (VPN), router and domain access administration. Those things are currently managed by IT operations, not security operations. I need additional head count. I need tools. And I want an organizational change. I don't care about policy. I don't care about process and procedure (Sarbanes-Oxley be damned). I care about doing what it takes to secure my company's information assets.
What brought me to this point? In my last column, I was fighting the virus war. It's going well. We hired a contractor that does nothing but track down infected systems, scan them for viruses and spyware, and apply operating system patches. You may ask, "Why in the world isn't that automated?" It's a long story, but remember, I inherited this network. I didn't build it.
The enterprise antivirus system is scheduled for an upgrade within the next week or two, and that should allow for tighter controls and
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
