Lately i havent been feeling all that great. People tell me I should go to a doctor, but I dont really want to. My car also hasnt been running all that well recently. I should probably take it to a mechanic, but maybe later.
Most people would think I were nuts-—theyd say that any problems with my health or with my car could be a sign of serious issues that need to be addressed. But thats exactly why I dont want to go to the doctor or get my car checked out.
What if there really is a serious problem? That could be very scary and expensive. Honestly, Id rather not know and simply hope for the best.
Of course, Im not alone in this kind of thinking. There are countless numbers of companies whose IT managers have the same attitude when it comes to the health of their enterprise systems, applications and networks. They could be using tools, services and consultants to check these systems to make sure that they are free of bugs, security holes and viruses that could lead to a serious security problem or data breach.
But what if a problem is found? Then IT managers would have to deal with it, which can be scary and expensive. Most IT pros would rather not know and simply hope for the best.
This attitude is different from the Sgt. Schultz "I know nothing" vendor attitude that Ive written about previously. In that case, software vendors are trying to hide their problems from customers and competitors, even if it means putting their customers at risk.
The type of "I know nothing" attitude Im talking about here arises more from fear and apathy. Also, the current system almost encourages it.
If IT administrators take a proactive approach to finding out about potential problems, they are responsible for any problems found, in the eyes of some. On the other hand, if IT administrators dont go out of their way to look for problems, they can claim ignorance and blame the so-called inevitability of bugs and viruses if a problem does strike.
But this attitude is wrong. The only real protection against security failures is finding potential holes, bugs and problem points before a hacker or worm does.
The tools and services available for finding vulnerabilities are much better now than they were years ago. Vulnerability scanning tools produce much more focused and accurate reports than the false-positive-ridden tomes of yore. Current-generation patch management and updating services have taken much of the tedium out of these tasks and have made it much easier to keep servers, systems and applications up-to-date and secure.
There are even many free and open-source tools that businesses can use to look for potential problems in their enterprise IT infrastructures. Of course, it goes without saying that you also want to stay current with any information about new problems or holes that are discovered—say, with a trusted source like eWeek—so that you can move quickly to limit your exposure to emerging risk.
Now that I think about it, I will go to the doctor. It will probably turn out to be nothing, but better to be safe than sorry. And Ill take the car to my mechanic, whom I trust, since Id rather spend a few dollars now than potentially have my car fail dangerously on the highway.
And for those businesses that choose not to look for potential problems in their IT infrastructures, well, its their choice. But there is a word for choosing to be in a state of not knowing—ignorant.
So you just go right ahead and tell your bosses and investors that your company has a policy of ignorance when it comes to maintaining the security and stability of the core enterprise systems and networks. But when the inevitable catastrophic failure hits, youll most likely end up being sorry that you werent safe.
Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.