Steven J. ross, CISA, CISSP,
mbCP, is executive principal
of Risk Masters Inc. Ross has
been writing one of the
Journal’s most popular
columns since 1998.
He can be reached at
This Should Not Be Happening
I recently published my thoughts about hacking
cyberattacks in this space, in a piece titled “The
Train of Danger.” 1 In it, I gave my paranoia
free rein and suggested that organizations are
unprepared for the danger of such attacks and
that security professionals, in particular, are at
risk. I received a thoughtful series of messages
regarding that column from Stan Dormer of
Cheshire in the UK. He led me to see the problem
from a few other angles, which I would like to
THe PrObLemS PerSIST
Mr. Dormer wrote:
IBM celebrated its centenary some months
ago; commercial security consultancies and
anti-malware companies are ten a penny;
every software vendor provides voluminous
advice on security; ISACA provides quality
advice and highly qualified professionals
and has developed schemes such as
COBIT. More formal methodologies such
as SABSA accompanied by standards such
as ISO 2700x abound.
• Employees may be leaking personal
data, security data and security
credentials to outsiders for gain.
• Alleged cyberwar attacks are
fewer than reported and are being
exaggerated for political reasons.
• Software vendors may still be
leaving ‘backdoors’ in their
software just like they used to do in
the 1960s and 1970s and these are
communicated to a select few who
then in turn leak the knowledge.
• Perhaps it is that we are pathetic
at deploying security and most
security software achieves little.
• Dorothy Denning2 may have
been right—‘All software contains
fatal weaknesses, and you cannot
develop a formal system that is
secure’—so we have to live with it.
• Software may be over-complex and
too interconnected to be able to
lock it down.
Do you have something
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article:
We do pen testing, security certification
testing, deploy ‘unbreakable’ cryptographic
schemes…and we have the defense and
other government agencies that employ
some of the best security professionals on
And an individual or group permeates
through all of this stuff like a knife going
This should not be happening.
Quite so, Mr. Dormer, quite so. If we
understand the problem and have developed the
solutions, then why do we still have the problem?
Stan goes on to suggest some reasons:
THe CuLTure We DeServe
These are all plausible specifics; putting them
together leads me to think that there is a general
explanation. I believe that cultural issues in our
society and in our organizations are the greatest
impediment to true security despite, as Mr.
Dormer says, all the countermeasures we have
deployed. Jacques Barzun said we get the culture
we deserve. 3 Perhaps we get the security our
culture deserves, as well.
It is safe to say that everyone is in favor of
security. Who can be against it? However, we do
not value security, or at least we do not value it
as highly as other attributes. We do not applaud
risky business, but we do look up to people
described as risk takers. There simply is not the
same cachet for a person to be really secure. The
praise for risk taking is deserved because risk is
rewarded with profit. But, I suggest, what we
really favor is prudent risk taking. That qualifier