No wonder we have security problems. For decades, we've treated security as an afterthought, an add-on, a kludge. First we design the business system. Then we assemble the technology and build the applications and string the wires. And then - because it's a checkoff item we have to complete before the big bosses will sign off on the project - we throw in some security. That's how we've done it for 40 years, since the days when IT system security meant adding a good lock on the mainframe room's door.
It's still that way today. Now, instead of a lock, security means passwords and firewalls and utilities that sound the alarm when they detect unauthorised probing of ports or access to accounts.
But security is still the last thing we cobble together and bolt on. And as a result, it's usually the messiest, ugliest, most user-unfriendly part of our systems.
Is it any surprise that for almost everyone else in corporate life, our cobbled-together, bolted-on security is first and foremost an inconvenience, an irritation, an annoyance? Permissions, virus filters, limited data access, digital certificates, encryption and piles of passwords - they're all pretty much the same to users. They're a pain. They chew up valuable time. They get in the way.
So what do most users do when faced with this in-their-face, time-and-effort-consuming security? They look for ways around it. So, of course, our security problems just keep getting worse. It's not just crackers and spies and assorted bad guys who are finding ways around our security. It's our users, too.
As long as IT people treat security as an afterthought, we'll keep on building systems where ugly, inelegant security gets in the way. And if it's in the way, users will fight it, work around it, undercut it.
The best solution - the one we can't afford, of course would be to rebuild everything, our entire IT infrastructure, applications, the works, with security designed and built into it down to the core.
We'll need that, and maybe sooner rather than later. With supply chains and B2B and Web commerce, our systems are more exposed than ever. But rebuilding our world with single sign-on, highly secure databases, IP Version 6 networks, smartcard authentication and the other technologies required will take time. Learning to use them effectively will take longer. Getting budget approval could take forever. But we don't have to wait for that. We can start rethinking security today. Maybe we can cut down on unauthorised shortcuts around security by building some secure tunnels that let users do what they need easily, without compromising security or breaking our rules.
Maybe acts like this will start IT down the path of treating security as something more than an afterthought.
Frank Hayes, US Computerworld's senior news columnist, has covered IT for more than 20 years.