Twelve mistakes security managers make

There's a quote by 19th century American theologian Tyron Edwards that goes, "Some of the best lessons we ever learn we learn from our mistakes and failures. The error of the past is the wisdom and success of the future."

Mistakes are an unfortunate fact of life, and when it comes to making them, the personnel in charge of IT security are certainly not exempt. With the help of security consultant Ken M. Shaurette of MPC Solutions, I've collected the following dozen common and not-so-common mistakes and misconceptions made by organizations when it comes to the security of their networks.

• Misconfiguring system security (firewall, antivirus and intrusion-detection/prevention systems).
• Trying to fix all of an organization's security problems with a purely technical approach, believing in a technological solution for the foibles of human nature.
• Allowing and even urging users to chose difficult-to-guess passwords, assuming that personnel can't become familiar with good practices and regularly change passwords.
• Not patching and, more importantly, not having a patch management architecture that goes beyond just applying the latest patches.
• Trusting that every security consulting firm is the same and can deliver the same quality.
• Believing that applying the minimum security requirements to comply with security regulations is enough.
• Not creating a security management program and simply buying the latest and greatest "cool" vendor solution.
• Not having an information security operation plan.
• Believing that users can't be taught to improve their security habits and that it therefore doesn't pay to create a security awareness program.
• Assuming that because antivirus software is installed and a personal firewall is running, the organization is secure
• Not maintaining the operating system (such as patching Windows NT, 98 or XP)
• Trusting in human nature (that updates to personal account information will be provided for free, that they'll send over the promised winning millions, etc.)

"As seen from a consulting company, I feel the No. 1 mistake that every organization makes is thinking they can resolve all their security issues with money and a technology," Shaurette said. "Vendors of point solutions count on that and prey on every organisation's lack of planning and desire to have a solution just like the guy down the street, but not necessarily know why or if they really need it."

The bottom line is that security is a process not a product and in the end, awareness remains key.

Douglas Schweitzer is an Internet security specialist with a focus on malicious code. He is the author of several books, including "Internet Security Made Easy", "Securing the Network from Malicious Code" and "Incident Response: Computer Forensics Toolkit."