CIOIN

Bad news. It's all around you. Bad things happen all the time. The problem with human nature, though, is that until something actually happens, you don't think about the things that you could have done to prevent or at least mitigate the risk of that bad thing actually happening to you.

It doesn't resonate, until quite frankly, it's already happened. Up to that point, your behavior doesn't change. It's like the time I was robbed in Las Vegas at gunpoint, or the time that someone got a hold of my checking account number and started writing checks on it (those are stories for another day). After each of these things happened, I spent lots of time making myself and my family more secure.

Unfortunately, most companies are like most people - they do only what is necessary to protect themselves from the obvious threats that they (or often their vendors) believe they can and should solve. If you think about the analogy of securing your home, it's the 'lock your doors and check the windows' strategy.

In IT security, this analogy usually translates into CIOs, chief information security officers and security administrators fixing the tangible problems that they believe they can solve with least cost and effort. Sound familiar?

In the end, this usually means securing against threats posed by viruses, worms and trojans by buying firewalls, IDS/ IPSs, VPNs and so on and so forth. Great. Good work. Now, the network won't be brought down by someone opening a virus laden email. Nice start.

To me, the fundamental problem of security is about behavior. It's about the behavior of developers when writing applications, the behavior of the low salaried IT admin who just got paid to download a bunch of customer data by some crooks, the behavior of the 'looky loo' employee snooping around in someone's HR files when he

shouldn't be, the behavior of the new college grad who just started his job and thinks that using Kazaa on the network to download free music is completely acceptable.

It is this behavior that is happening on the network and devices you manage and the applications you use and develop, by users that are part of your company. So much for locking the doors and checking the windows.

So, as I evaluate new opportunities to invest in security, I'm looking for two things:

(1) Companies that offer tools and technologies to help monitor, manage and enforce the right behaviors in people and devices; and

(2) Companies that make it drop dead simple for IT folks to use their tools. It's why we invested in Securify, and why I think companies like Fortify Software, which I haven't invested in but think very highly of, have a huge opportunity in front of them.

If you haven't taken a look at these guys, I think you should, before that 'bad thing' happens to your company. CIO