It may be small satisfaction for IT professionals to know that security issues are no longer a matter of "What if?" That was the message from SANS Institute Director of Research Alan Paller, speaking at a conference convened in Anaheim, Calif., last month by Check Point Software.
"A lot of you have trouble persuading senior management that this is a real problem," said Paller. "They think security people all go to Whining 101—but the attacks are real."
Paller was unsparing in his remarks about products that come out of the box with known vulnerabilities. "It takes 5 minutes before a new system on the network is attacked. ... Thats not enough time to download patches," he said.
Accountability, said Paller, is the major new force shaping change. "It used to be, you could tell people what they were doing wrong—and that was security." Now, he said, "the responsibility is leaking into operations and audit." The people who decide when machines are turned on or off, and those who vouch for the numbers that a company uses to run its business, are charged with making systems robust and keeping data safe from accident and malice.