Security "silos"

While watching a webinar on virtualization security I heard a term that made me say "aha"! It's the perfect term for what I've witnessed many times over my career in security auditing. The term was "security silo". I'm not even sure what they meant by the term but to me it describes perfectly the reason the "bad guys" will always have the advantage over the "good guys". What the hell am I trying to say? Well, there is a good reason why the folks who do bad things with computers are always going to have at least one advantage over the guys trying to protect us from them.

That reason is simple: Most IT organizations build their computing infrastructure into computing silos. There is a database silo, a network silo, a systems silo, a security silo, an applications silo and nowaways we're adding a VoIP silo and probably a storage/virtualization silo. What that means is security always comes into a project late or not at all. I have talked with many security folks and the answer is always the same when asked about policies and procedures. Sure, they get to make them, but rarely do they get to enforce them as written. Most upper management types abhor passwords of any kind. Here's a test, ask one of your security team members (you do have more than one person on the team, yes?) who the best networking or systems employee you have. They probably can't answer the question.

Why not? Because they don't interact with them. The security folks sit in their offices and read about buffer overflows, write useless policies and dream about going to DefCon. The systems folks believe that patching is somebody else's problem. The network guys don't talk to the systems people. The application developers don't ask for any help until they need to roll out an application that requires massive changes to access lists, directory services or security configurations. Nobody wants to deal with the nerdy geeks who control the firewalls. By that time management is already overrun with cost increases, delays in releasing the new application and pressure from customers.

Damn the security, full steam ahead.