There always seems to be a bureaucracy ready to tell you how to keep your computer systems secure; or, worse, to tell you what you must do to be in compliance with the regulations promulgated by the bureaucracy. "It's for your own good," they say.
If you are forced to comply with some regulation or other, you'd better comply. But you're a fool if you confuse compliance with keeping the assets of your business actually, you know, secure.
Bureaucrats can't keep simple physical things secure
Computers are complicated. Construction sites? Not so much. Fences, cameras, sensors, guards and an alert, well-managed staff should do the trick. But when bureaucrats are in charge? Forget it.
David Velazquez was in charge of security at the World Trade Center construction site. Mr. Velazquez is a Columbia University graduate and had a 31 year career at the FBI, ending as head of the Newark field office. You might think well of the FBI, I don't know, but what I do know is that it's a giant government bureaucracy, and Mr. Valazquez appears to have applied the lessons he learned there on his new job.
Here is one of the crack guards "on duty" at the work site:
That may explain why a group of guys was able to get to the top and jump off, recording video all the way down:
Then a kid slipped through a fence and made it all the way to the roof, unheeded by sleeping guards:
The biggest, baddest bureaucrats of all can't keep their own computers secure
Alright, maybe the FBI are amateurs. Let's go to the best of the best, the scariest cybersecurity experts of all, the NSA.
These guys are in charge of keeping us secure from the worst of the worst. A cover story in Wired Magazine told us all about it.
Loads of people using piles and piles of super-secret cyber magic are on the case:
If anyone can achieve cyber-security, surely these guys are it:
But we all know how that turned out. It just took one moderately clever person with bad intentions and all the vaunted cyber-wonderfulness was for naught. Among Mr. Snowden's myriad revelations was the previously secret budget of the cyber-bureaucrats of the NSA, an astounding $52 billion. Do you think if they doubled the budget they could have done a better job? Hmmmm.
Bureaucrats and Security
Why should you listen to someone who can't do it themselves? If you want to stop smoking, do you eagerly take the advice of someone who smokes? If you want to get rich, do you take advice from poor people? Bureaucrats are sure they're right -- because they have no competition, and there's no one who has the power to tell them otherwise.
Why this matters
The laughable ineffectiveness of bureaucratic security in general, and cybersecurity in particular, can matter a great deal to you. Here's why:
- If you do what the bureaucrats tell you to do, you'll spend a lot of money.
- Following the regulations makes everything slower and less efficient. You'll hurt your business.
- If you get conned into thinking that following the regulations means that you're secure, you're in big trouble. You will be more vulnerable to business-damaging breach than ever before.
What you should do is simple: establish effective and efficient security by the best means available, which will typically be unrelated to what the authorities solemnly declare. Then, do as much regulation-following as you need to do, whether it's PCI or any of the rest of the alphabet soup, to avoid punishment.
Is this cynical? Of course! But it's also real life.