Twenty years ago, IT security was just an afterthought at the bottom of everyone's priority list. The mischief that ensued was primarily for bragging rights and personal satisfaction. As businesses have transitioned to conducting 99+ percent of their essential functions electronically, the motivation has also shifted from egotistical to monetary. To say that IT security practices have not kept pace is an understatement. We've moved from a point of not thinking or pressing for IT security, to a point of constant discussion and concern without proactively addressing and mitigating today's serious problems. I believe that businesses truly care about the problem and want to better support these efforts, but are often overwhelmed with many other issues and choose not to allocate hard dollars until they encounter a breach. In the legal system, this is known as the “bloody stump” theory.
Let's look at the problem with a view that the glass is half full. Without the hacks and attacks on our systems and data, do you think we would have gained support from businesses in developing efficient systems with security, at least on the radar, and insisted for IT architectures? Architectures that were built for efficiencies, produced as a byproduct more secure systems? We've been challenged by very intelligent people who utilize that intelligence the wrong way, but it has resulted in more robust, efficient systems that just happen to enhance the security environment. Ten years ago, major system deployments failed over 70 percent of the time. Nowadays, you'll be hard pressed to read about a multimillion dollar system failure.
The problem is we're lagging behind criminals whom at this point, are well financed through their ill-gotten gains. Hacking and other IT criminal activity has grown into a lucrative business, focused on profiting through our demand for newer and better technology, delivered with vulnerabilities and without security thoroughly “baked in.” Rush to market and security assurance still sit on opposite sides of the fence. In the business world, IT security has reached the minimum funding level, but it remains a secondary piece of the primary business. We continue to accept the vulnerabilities as a cost-of-doing business and write off the cost of being scammed.