Seeking: Young woman for marriage.

I stumbled upon this gem in the classifieds section of a small local newspaper in Villach, Austria.

Looking past the obvious desperation, this gentleman’s request was similar to what we observe regularly in the IT Security industry. The following statement could very well be found in the same section: “Seeking: Young IT Security professional to make us compliant.”. Let us take a quick look at the similarities of these two statements.

While we can only speculate on the intentions behind the original advertisement, the young qualifier in the job advertisement fulfils a number of functions for the upper management team. A young professional is more likely to put in crazy hours to appeal to his/her new bosses. While at the same time earning a fraction of what you would have to pay for a seasoned manager that has been through a few rodeos.

But, much more important is the fact that it is easier for a seasoned executive to override the decisions of a young person. Even to the point of making them question their own knowledge. Does my company really need to consolidate the authentication and authorization solutions found within our environments? Assume the CEO says that the proposal is nonsense and will cost the company too much while not adding anything to the profit. A young and impressionable IT Security manager might offer much less of an obstacle than somebody older, who has seen what kind of havoc and damage a poorly designed, implemented and managed solution can cause within an organisation.

This is a bit more subtle but even more dangerous. The fact is that both of the desired outcomes are not the right target to aim for. Just as the ultimate goal of a relationship isn’t marriage, but rather love, companionship, stability, mutual compassion, in short, a loving relationship. The ultimate goal of any IT Security professional shouldn’t just be to satisfy compliance towards any external or internal standard, but to ensure the security of all aspects of the organisation. Compliance will come naturally as a welcome side-effect of a well implemented approach to security.

Doing security just for the sake of compliance will ultimately end at just ticking a compliance checkbox. What good is a paper telling you that your organisation is compliant with a standard or regulation when in reality your digital assets are exposed to attackers.

Now, this is NOT an attack against young professionals or the managers that seek them out. This is just what I have observed over the years. In times like these, when the news of one major breach after another pops up in our newsfeed and the reasons for those breaches boil down to carelessness, a lack of resources or the lack of security awareness within companies. I think organisations and specifically upper management will need to start realising that proper security is not just a cost-factor, but that it is becoming a question of life and death for every company and consequently also for the upper management.

Negligence in the handling of personally identifiable information, payment data, as well as, company assets will not be tolerated much longer. Legislators and shareholders alike need to make sure their investments are secured and can’t be attacked by anybody who knows how to use an internet browser. I am not talking about complex exploits, created for a specific target, tailored to the execution environment of the victim. Those “professional” attacks are one thing and need to be defended against, obviously. No, I am talking about the massive vulnerabilities introduced due to the lack of resources, understanding and planning on the victim side. Is victim actually the correct term in this case? If you walk through some shady part of town with a bundle of money sticking out of every one of your pockets, you will have to take a large part of the blame for the mugging you’re about to experience.