Security just an afterthought

No wonder we have security problems. For decades, we’ve treated security as an afterthought, an add-on, a kludge. First we design the business system. Then we assemble the technology and build the applications and string the wires. And then because it’s a check-off item we have to complete before the big bosses will sign off on the project – we throw in some security. That’s how we’ve done it for 40 years, since the days when IT system security meant adding a good lock on the mainframe room’s door.

It’s still that way today. Now, instead of a lock, security means passwords and firewalls and utilities that sound the alarm when they detect unauthorized probing of ports or access to accounts.

But security is still the last thing we cobble together and bolt on. And as a result, it’s usually the messiest, ugliest, most user-unfriendly part of our systems.

Is it any surprise that for almost everyone else in corporate life, our cobbled-together, bolted-on security is first and foremost an inconvenience, an irritation, an annoyance?

Permissions, virus filters, limited data access, digital certificates, encryption and piles of passwords they’re all pretty much the same to users. They’re a pain. They chew up valuable time. They get in the way.

So what do most users do when faced with this in-their-face, time-and-effort-consuming security? They look for ways around it.

They thumbtack lists of passwords to their cubicle walls. They leave their PCs on when they’re away so they won’t have to log in again. They turn off filters, turn on scripting and swap unauthorized tricks and shortcuts for bypassing security.

So, of course, our security problems just keep getting worse. It’s not just crackers and spies and assorted bad guys who are finding ways around our security. It’s our users, too.

Sure, they’re wrong to undercut our security measures. But it’s our own fault.

As long as IT people treat security as an afterthought, we’ll keep on building systems where ugly, inelegant security gets in the way. And if it’s in the way, users will fight it, work around it, undercut it.

The best solution, the one we can’t afford, of course would be to rebuild everything, our entire IT infrastructure, applications, the works, with security designed and built into it down to the core.

We’ll need that, and maybe sooner rather than later. With supply chains and B2B and Web commerce, our systems are more exposed than ever. But rebuilding our world with single sign-on, highly secure databases, IP Version 6 networks, smart-card authentication and the other technologies required will take time. Learning to use them effectively will take longer. Getting budget approval could take forever.

But we don’t have to wait for that. We can start rethinking security today. And one good place to begin is to take some of the sting out of security for users.

Maybe we can get rid of those tacked-up lists of passwords by cutting down the number of different passwords we assign each user. If we can’t do real single sign-on today, maybe we can whip up some scripts that let users type one password once, and let the machine do the rest of the work.

Maybe we can adjust how PCs log on to networks and applications when they start up, so users won’t be so tempted to leave them running unattended.

Maybe we can cut down on unauthorized shortcuts around security by building some secure tunnels that let users do what they need easily, without compromising security or breaking our rules.

Yes, those are more security kludges. But at least they’re elegant kludges that make security a little less obnoxious and a little more convenient for users.

And just maybe that will start IT down the path of treating security as something more than an afterthought.

Hayes, Computerworld (U.S.)’s senior news columnist, has covered IT for more than 20 years. Contact him at