I've just be browsing some articles in the CodeBreakers-Journal. (As a mathematician by education, and with a background in IT, I occasionally like to see what's going on in the field of crypography.) I came across the following quote by Bruce Schneier:
If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technologyThat's so accurate; and so often I see clients who believe that technology is the answer to their security needs. Mohammed Fadel Mokbel, the author of the paper I was reading, went on to say:
... the most important and perilous factor in computer/internet security is the human integration with the technologyThat neatly explains why technology so often fails to deliver the level of security organisations expect. I remember auditing one firm which proudly told clients it's offices were protected by pass cards so that only authorised staff could access work areas. True. During the day. In the evening, however, once the managemenr team had gone home, the cleaners propped all the security doors open with buckets to create one vast open space. By then the security guard on the front door had gone home and it was also pretty easy to get in via the front door - just catch the eye of any of the cleaners and look like you belonged there. Essentially security during the evenings was non-existent. Management of cleaners is a dull affair and is often passed well down the food chain to somebody has no clue about security. (It shouldn't be, of course. Office managers need to vary their hours and be in the office at a wide range of times.) Technology is no defence again human ignorance, nor from managers who don't make staff understand why the technology matters.
A second problem is that technology is added on top of processes which are inherently insecure. That doesn't work. Security needs to be embedded into the process design and the process design integrated into the technology. One of my pet hates is consultants who perform process reviews but don't have a background in IT and systems - and indeed don't have a background in organisation effectiveness in terms of human dynamics. Process design requires a true multi-disciplinary approach.
Perhaps the underlying issue is managers who believe their security is fixed because they bought some technology "to take care of everything". They know that's the case because the salesman told them it would. Ignorance is the single biggest cause of security holes.