Re: Security: Public vs. Private

[Benjamin Floyd <ben.floyd () improvingenterprises com>]

I have worked in both public and private sectors as well and also cannot clarify much on the general question which was 
asked. I would suggest taking a look at statistics on money spent on security initiatives and compare that to actual 
security implementations and understanding of security. In that regard, the public sector as a whole is behind the 
curve, even with the advances made in the DoD, NSA, etc. While there is a lot of policy regarding security in places 
like state government and higher ed, there is not a whole lot of understanding or review of those policies at the 
bottom tiers of the organizations.

On the other hand, the private sector has an even greater difference in this area. They are not required to invest in 
security unless they are facing mandated policies such as HIPAA, SoX, or PCI. Thus, most of the time I've seen large 
companies fall into the same practices as the public sector organizations - lots of policies with little understanding 
or implementation of the policies at the bottom levels.  Typically when I've been brought into a private sector 
organization as a security consultant, it's after a breach, after the forensics and law enforcement (I'm not a forensic 
analyst), and after a whole lot of money went down the tube. Another issue to consider is that the majority of small 
businesses (< 10 employees) are not as well connected as some of the medium to large organizations. Thus, they have 
fewer attack surfaces and you could consider them to be more secure because of that. As they grow, they don't tend to 
spend the newly earned profits on security and a lot 
 of holes open up in that transition.

So, at a high level, government has a more secure "look" if you examine policies, but a less secure environment which 
does not conform to the policies. Private sector has fewer policies, but the potential for a more secure environment 
because of the agility and money they have to invest in security implementation without policy establishment.

You can take it from there as to whether adherence to policy is more secure than implementation without guidance.


Ben Floyd
Senior Consultant, Improving Enterprises, Inc.
ben.floyd () improvingenterprises com<mailto:ben.floyd () improvingenterprises com>




On May 4, 2011, at 11:16 AM, Jon Schipp wrote:

For those that have worked in both sectors or for those that are familiar with the relationships, which tends to be the 
most "secure".
(I'm leaving a partly-open interpretation of the word).

In other words, as a generalization, which area seems to take computer and network "security" more seriously, or who 
tends to do a better job?

I'm aware that each have different threats, but I'm trying to look at this from a high-level macroeconomic perspective.

Most people familiar with economics and history know that the public sector tends to always lag behind the private in 
various areas due to the
private sectors price-system and its profit/loss mechanisms.

I'm assuming that this is the case for IT security as well. What do you guys think? From your experiences what can you 
conclude?
Generalize.

Also, does anyone know if there have been studies on this?

Thanks!
--
- Jon
--
------------------------------------------------------------------

Fax & VMB: 206-984-1989

Dubois County Linux User Group - http://www.dclinux.org<http://www.dclug.org/>
BloomingLabs -  http://www.bloominglabs.org<http://www.bloominglabs.org/>
ISSA-Kentuckiana  -  http://issa-kentuckiana.org<http://issa-kentuckiana.org/>

GPG Key ID: 810903CB
Key fingerprint = 0069 ED69 EABB DF84 5983  AD3C 6C20 BEFD 8109 03CB

<ATT00001..txt>

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com