As technologists we tend to forget that there are problems that can’t be solved purely with technology. This week I’ve spent every day with 4000 other highly technical people at IT Forum. It’s been very interesting and the range of technical questions have been extrodinary.
Security is certainly an area where there are few absolute solutions. By it’s very nature security is subjective. Obsessing about high profile risks can lead us to be vulnerable as it’s often the “un-interesting” areas that are exploited leading to exposure.
Think about the paranoia many people have about the insecurity of wireless networks for example. Spending most of your time and budget solving that problem (there’s loads of effective guidance @ http://www.microsoft.com/wifi) and forgetting about security awareness training for the people who use your systems would be a bad idea IMHO. Of course some people decide to avoid the risk posed by wireless by turning it off (not implementing it at all) but that means that they also miss the benefits too.
Sensible security involves a sensible policy together with frequent comprehensive risk assessment – these form the basis for directing resources to reducing all risks to an acceptable level. Bear in mind that each of us (and our organisations) have different appetites for risk – a start up company may have few assets and hence less to loose so may choose to accept more business risk.