Another day, another SSL vulnerability. This one doesn’t have the cool logo and memorable name that Heartbleed had, but it’s no less serious.
We shouldn’t be surprised by this. IT security compliance is a constant arms race, where nobody can ever get far enough ahead to stop running. The best that IT professionals can hope for is not to lose ground. There is a constant deluge of patches, updates, security bulletins, new policy requirements, and best practices to keep up with. There is the new technology to learn, and the old technology that has to keep working in the meantime. All the while, there are constantly-evolving requests and requirements from the business that need to be satisfied.
The Heartbleed bug at least brought with it the advantage of a high media profile, so it was easy to justify a fire drill. When even the mainstream press was publishing horror stories about the impact and consequences of a bug, there was plenty of attention focused on solving that problem. There is much less patience with a constant state of emergency, which is what IT security amounts to if it’s done by hand.
The status quo in IT security was born of an era when there were small numbers of systems and all of them were known to the IT operations team. Today, with servers multiplying continuously, and unknown but large portions of the IT estate outside of corporate IT’s control or even visibility, that approach is showing its limits.
This is hardly a new problem, and most IT operations teams have adopted tools to help them deal with the constant demand. The problem is that each team has chosen its own tool for its own immediate needs, without considering the wider requirements. This ad-hoc and disconnected approach has failed to deliver the expected results, because local optimisation of each sub-task did not impact the overall process. This failure to apply standards to the entire compliance and security workflow is the reason that despite years of effort and investment, most IT departments are still stuck in fire-drill mode when it comes to responding to the constant flow of new issues.
BMC proposes a new maturity model for compliance and security. We discussed this new approach in a public webinar; you can review the recording here (registration required – but it’s worth it!).