Access Road

Home | News | FAQ | Documentation | Download | Links | Authors

Editor's view n°1:
The very medium level of IT security

IT security is boring. It makes me feel incompetent. Since 15 last years, I have seen new and complex tools, quite new requirements and means for security from the board of vice-presidents, and this is good. But I have seen more and more complicated security issues in large systems with more products, more connections, more evolutions, and this is very bad.

The bitter pill to swallow is: today, in a classical IT system used by a corporate company, nobody controls the security. I mean, nobody knows if all risks are reasonably managed, and even, nobody knows all the actual risks applicable to the system.

And don't say that solutions are in tools, or even in a controlled process. The stuff is too complex, too fast, too unstable, too obscure. As said a famous humorist: we are too stupid for this sophisticated world ! (Yes, we make it)

As usual, man is the hope. The classical solutions today are:

• 'omerta': silent about the malicious intents which are pointed out in the IT system of the company,
• fear or honesty: it is easy to find skilled technician people, to pay them quite well. Then, numerous technicians should avoid to take any risk, even if the fraud seems easy to do.
• complexity, speed, instability and obscurity in the system: they product the risks, but they worry the bad gays too, when they plan an attack !

With tools and controlled processes, all that stuff has a true, but only medium effectiveness. Not enough for example in a large scale system with numerous B to B connections and fast evolutions, web services and so on.

I see a long-term solution: more collective intelligence, more technical qualification, more managerial consciousness. We have no chance to improve the security of large interconnected systems without improving our human skills.

It will be slow. It is not a business for tools providers. Rather a burden, when they will have to prove that their tools are structured to be hacker-proof. It is a small market for consultants, and a hard work for the IT team in each company. It requests innovation, new educational methods in IT security. Here is a priority.

We have to develop now honest and collective intelligence against malicious and personal intelligence. It was as the status of quality and safety in the industrial companies in the 1980's, and they succeeded in managing these challenges. I am absolutely optimistic.

But in any case, ecommerce and B to B systems will provide doubtful security during the ten next years, in spite of numerous advertisements which promise us the moon. We will have to keep our consciousness about the real issues, to train everyone, to select simple and sound tools, clear and robust processes, and so, to try to build up the next IT systems more cleverly. Good luck !