Lessons learned: Learn what is critical to business and don't interrupt it unless not doing so will result in more damage.
Colossal security mistake No. 2: Killing the CEO's access to anything
CEOs are the kings of their kingdom. Regardless of whether they truly need access to a resource on or over the network, if you somehow remove that access, it's likely to threaten your job. I once got in hot water with a CEO because I blocked his access to pornography by enabling content filtering on a new firewall the company had purchased. I wasn't supposed to be "the Internet police," as he so eloquently put it.
I've seen CEOs yell at security pros simply because IT required the CEOs to put in a new password on their computers or put in a new password to access a high-risk application. CEOs for the most part want to open their laptops, click an icon, and have everything readily accessible, security be damned. Every IT security worker that has worked directly with a CEO has stories.
Lesson learned: Make access as easy possible for the CEO while maintaining the required amount of security.
Colossal security mistake No. 3: Ignoring a critical security event
If the recent Target breach has taught us anything, it's that ignoring a critical security event can be hazardous to your job. As it turns out, Target's security software had detected the Trojan software installation used to commit the hack, but the security team incorrectly deemed the event log message a false positive. Instead of alerting management that the company was under attack, everyone remained silent as the logs filled up with evidence of the infiltration. This single bonehead move cost Target hundreds of millions of dollars, forced the resignation of the CEO and CIO, and eroded customer trust in the brand.
But can any of us throw stones? Who among us hasn't opened up event logs, seen a bazillion events, and not had their eyes glaze over? Event-monitoring storage systems are measured in terabytes and petabytes precisely because event logging is an inexact science. Event logs are built to accumulate false-positive events to the tune of a million non-events for every real attack that gets logged.
Target's event-log mistake is a very public reminder some "false positives" are more important than others. In Target's case, the ignored event had recorded that a new executable was being uploaded and installed. Someone analyzing the logs explained it away as an expected point-of-sale system upgrade. The easy, but mistaken, explanation led the company to ignore tens of thousands of similar detection events.
If the CEO and CIO are gone, you can bet that the employee who told everyone to ignore the event is gone, if not the entire team. Management is all about choosing critical business functionality over security -- until the security event impacts critical business functionality. Then the pendulum swings swiftly, and heads roll for doing business as usual as the company coffers are plundered.
Sign up for Computerworld eNewsletters.