Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

10 security mistakes that will get you fired

Roger A. Grimes | Nov. 18, 2014
From killing critical business systems to ignoring a critical security event, these colossal slip-ups will get your career in deep water quick.

Credit: Shutterstock

Getting fired from an IT security job is a rare event, but there are certainly ways to ensure or accelerate your own unemployment. I'm not talking about garden-variety mistakes here. After all, most IT workers create or live with lots of little mistakes every day. That's the nature of complex, rewarding work.

But it's also a large reason why IT doesn't do a better job at computer security. As systems become more complicated and companies more responsible for increasingly sensitive private information, the stakes for IT security keep escalating. With increased stakes comes increased pressure on those charged with fortifying corporate defenses.

Trust your skills, follow corporate directives, and concentrate on the basics, and you'll have a long career in IT security. Help your employer right-size its defenses in the right places, and you'll excel. But fall prey to one of the following mistakes, and you'll be looking for new work -- maybe a new career -- more often than not.

Colossal security mistake No. 1: Killing critical business functionality
Every security pro knows intuitively that derailing critical business functionality is a job-killer. You'd be far better off letting hackers stay inside the company than interrupt core business systems. This may seem antithetical to our mission as security pros, but after trying to help hundreds of companies become more "secure," you begin to realize that, from the company's perspective, security is not priority No. 1.

Even after a particularly nasty hacker attack, when the attacker has scooped up all the passwords, compromised the entire network, and downloaded confidential data, senior management will more often than not be more concerned about interrupting critical business systems than actually assuring that the bad guys are gone. Many seasoned security pros have experienced this, I can assure you.

In fact, there's a name for this strategy: Assume Breach, wherein the company accepts that malicious activity will forever be present in its environment and everyone should conduct business as usual anyway. It's a risky gambit, with senior management betting that whatever happens because of the hackers, the damage will be less than the cost of what would need to be done to ensure the hacker is gone forever (if that is even possible). The gamble works most of the time -- until the attacker causes hundreds of millions of dollars in damages, the public finds out, and the attack is directly tied to a detail that should've been investigated but wasn't.

But if you unexpectedly bring down critical business functionality longer than a day or so due to a new security process or device you put in place, you'll be shopping résumés faster than it takes to bring the network back up. Business rules.


1  2  3  4  5  6  Next Page 

Sign up for Computerworld eNewsletters.