In their excellent work “Life and How to Survive It” by psychotherapist Robin Skynner and his former patient British comic John Cleese, there is a passage devoted to our mental map of the world. They postulate that a possible measure of mental health is how well our inner map matches the reality of the world around us. It’s a concept that has stuck with me for many years since I first read the book, and recently resurfaced while reading the recent Cisco Annual Security Report. It’s a great report and and a worthwhile read. Amongst the many interesting, but unsurprising security issues- java & flash vulnerabilities, users careless behavior – (although we have a fix for that) the one that struck me most was the growing disconnect between perception and reality. It seems we have a situation where 75 percent of Chief Information Security Officers see their IT security as very or extremely effective but less than 50 percent of respondents are using tools such as patching and configuration management tools to mitigate risks. It strikes me that there is a reality gap opening up, which is hard to believe given a quick review of the security incidents of the last year.
So is a measure of our IT security health how accurately the threats and our preparedness to defend against the mare conveyed in the boardroom? I think so. This is not a time for sugar coating and ‘managing up’. IT professionals and executives need to work hard to ensure that they are keeping their grip on reality and continue to be clear about the risks and the mitigations they can put in place. Vendors too, need to be clear in the capabilities of their solutions and how they can be implemented. That’s one of the reasons we include “Recommended Practices” guides on most of our Reference Architectures. We want to show you that we can stand by the claims we make about our security solutions – because we’ve tested and documented exactly how implement them.
Are they always going to work? Is everything perfect? Probably not. But that’s reality. What you can be sure of is that we are going to keep on building real world defenses for real world threats.