Tuesday, 8 May 2007

It’s a good idea, trust me, I’m a gynaecologist

Last (currently) in the “Things I’ve done wrong” process.

To a certain extent, this is linked to expecting people to understand “why”.

In the past, I have explained the details of an Info Sec related issue and then the possible remedial actions available to the company and then assumed that the correct decision would be made. How naïve can you be?!?!?!

Unfortunately, it would appear that the "correct" decision is not reached based on sound assessment and analysis. Mostly, it is made against a "what's cheapest / quickest / most like what we do currently” process and this is not sound decision making.

I’ve underestimated the human ability to take the easy option and this means that when faced with the “right” decision versus the “cheap / quick / less resource consuming / more like we do currently” decision, one of the latter is opted for.

You’ll notice the second “option” is in fact a list of options. Realising this has enlightened me. I always knew that there were infinitely more ways to do something wrong than to do it right. However, I hadn’t appreciated how easy it was to choose to do something wrong.

So, the remedy? Interesting question. I might expand on this in future blogs but for now, these are my thoughts. It’s necessary to do the hard work on everything, every decision that needs making has to be supported by argument. All possible decisions related to a particular issue need analysis and “pros” and “cons” debated. Then a recommendation needs to be made.

This is hard work and demoralising. I mean, as an example, imagine having to explain that WEP only encryption is a bad idea. And I mean really explain it. Explain about the ability to set up rogue APs, then explain about the ability to intercept traffic, then explain about the ability to capture user IDs and passwords, then explain about the ability to create rogue user accounts, then explain about the ability to log in as a rogue user and download data.

Oh…. Erm…. Hang on…. I seem to remember that this may have been covered in a recent TJX related article……..

Posted by Andrew Mason at 06:32

Labels:

Subscribe to: Comment Feed (RSS)