Via a circuitous route I came across “Ten Mistakes that CIOs consistently make that weaken enterprise security” – and I have to say that having read it, albeit bitter and hard, most of it applies much more broadly than just the field of security.

Quoted from The Enterprise Architecture Blog:

1: Use process as a substitute for competence: The answer to every problem is almost always methodology, so you must focus savagely on CMMi and ITIL while not understanding the fact that hackers attack software.

2: Ostrich Principle: Since you were so busy aligning with the business which really means that you are neither a real IT professional nor business professional, you have spent much of your time perfecting memorization of cliche phrases and nomenclature and hoping that the problem will go away if you ignore it.

3: Putting network engineers in charge of security: When will you learn that folks with a network background can’t possibly make your enterprise secure. If a hacker attacks software and steals data yet you respond with hardware, whom do you really think is going to win the battle.

4: Over Rely on your vendors by relabeling them as partners: You trust your software vendors and outsourcing firms so much that you won’t even perform due diligence on their staff to understand whether they have actually received one iota of training

5: Rely primarily on a firewall and antivirus: Here is a revelation. Firewalls are not security devices, they are more for network hygiene. Ever consider that a firewall can’t possibly stop attacks related to cross site scripting, SQL injection and so on. Network devices only protect the network and can’t do much nowadays to protect applications.

6: Stepping in your own leadership: Authorize reactive, short-term fixes so problems re-emerge rapidly

7: Thinking that security is expensive while also thinking that CMMi isn’t: Why do you continue to fail to realize how much money their information and organizational reputations are worth.

8: The only thing you need is an insulting firm to provide you with a strategy: Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed

9: Getting it twisted to realize that Business / IT alignment is best accomplished by talking about Security and not SOA: Failing to understand the relationship of information security to the business problem — they understand physical security but do not see the consequences of poor information security. Let’s be honest, your SOA is all about integration as you aren’t smart enough to do anything else.

10: Put people in roles and give them titles, but don’t actually train them: Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.