I received yesterday a mail spam about a commercial SSH solution. The mail presented their product like this:
“Find out how SSH can ease the burden of PCI DSS, SOX and other mandates and IT audits with a robust data security solution used by millions worldwide! <deleted name> delivers unparalleled Managed File Transfer and Data-In-Transit Security solutions for the most demanding Linux, Unix, Windows and IBM Mainframe environments.”
Like said Bruce Schneier a long time ago: “Security is a process, not a product!“. Reading a commercial announce like this one left me in a strange state: a bit disgusted and scared. Is it normal for an organization to wait for compliance requirements before deploying or increasing security solutions? In this case, they would have been very lucky to not be affected by a security incident before.
Sometimes, organizations behaves like people: they procrastinate. Procrastination can be defined as “How people keep leaving things they should do until later, often because they do not want to do them“. Sometimes, organizations follow the Newton’s 3rd law: “To every action there is an equal and opposite reaction” (also know as the action – reaction principle). Security becomes a priority after… an incident happened! This remember me the story of a customer who asked to investigate a network incident (occurred during the weekend like said the Murphy’s law). No log management solution was in place, impossible to investigate further more after some devices were rebooted in emergency.
Compliance might be seen as a sword of Damocles for the “bad players”. At the opposite, organization falling under compliance requirements don’t have to be scared if they already take care of the security! Don’t take compliance as a punishment, just take care of your security in a daily basis. Apply due care and due diligence…