Information Security

Defending the digital infrastructure


Manage Learn to apply best practices and optimize your operations.

Viewpoint: Don't blame generation gaps for poor home security

Don't Blame the Old Folks
I read most articles written by Bruce Schneier and Marcus Ranum; in general, they hit the mark and have a good understanding of security and the society in which we live. In this article (Face-Off, September 2007), I would disagree with their arguments. I think security is too complex today-- and the trend continues--to point the finger at ISPs or old folks.

Yes, ISPs have a major role in this chain of services and security. Yes, the old folks will die, but will the bad habits die with them? I highly doubt it.

I think there should be a concerted approach to security. Home users need more secure computers out of the box, reliable and safe connectivity and networks, but also more and better knowledge regarding their personal risks related to the activities they're undertaking on their computers and on the Internet. In other words, give them options.

Let's remember that having better police, legal system or prisons hasn't stopped organized crime from doing what they do.

Catalin Bobe, President, SecureBase Consulting

Starts at the Top
The issues (identity management and data leakage) as well as the rules and regulations (Sarbanes-Oxley, PCI, data breach laws and privacy laws such as the Gramm-Leach-Bliley Act and state data breach notification laws) cited in the article ("IT pros impede PCI, Sarbanes-Oxley compliance,", August) are business issues rather than simply IT or compliance issues. As such, they should be dealt with through corporate governance.

If there is actually discord regarding which legislation or regulations have a greater weight, then management must provide direction.

Corporate governance (e.g., COSO) and/or IT and security governance frameworks (e.g., ISO 17799/27001, Cobit, NIST) seem to be in sync here. If the groups noted in the summary aren't receiving meaningful direction on enterprise risk, it seems natural to divide along "party lines."

Without clear direction from the top, lower levels of management are forced to try and make assignments that are out of their pay grade. The desire to do a good job (and not get blamed for failures) leads to turf wars, with each group focused on risk as they understand it given their limited view of corporate level governance.

Turf wars serve only to increase risk to the corporation, management, employees, clients and investors.

Another possibility is that the study, the summary or both are flawed.

Karl Wabst, Independent Technology Governance Consultant

Contact Us
Send your comments to
We reserve the right to edit letters for clarity and space.




Information Security's December issue will mark the 10th anniversary of our covering the information security market, providing the most comprehensive coverage of the people, trends and products you encounter every day on the job.

This keeper issue will traverse the last 10 years in this industry, featuring articles about the innovators, luminaries, practitioners and events that shaped the direction the information security industry has taken.

We want your help. If you have any feedback on the people or landmark events we should include, or if you'd like to share any anecdotes or even photographs from the last decade, we want to hear from you.


Contact us at


Article 16 of 16

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All