On the state of IT security and data storage

There have recently been several notable events in the IT world that if you aren't already, should cause you to question the wisdom of claims of both Security and Managed Services providers.  To point, several weeks ago I sent out a link to a story about a major IT security provider that got hacked (see: http://www.msnbc.msn.com/id/42152645/ns/technology_and_science-security), and last week there was another note worthy event where a irate ex-employee of a data storage service provider wiped out a years production for a TV production company that employed its services (see: http://news.yahoo.com/s/nm/20110331/tv_nm/us_zodiac ).

There is some commonality between the events.  Both provide external services (although its not clear which products were compromised in the first case).  Both  were used to insure data security and integrity.  Both were used so that companies would not have to address the expense of managing their own secure services.  And because their marketing was taken at face value, their customers suffered.

There are a couple of key points:

1. There is no such thing as perfect security.
2. Your security is only as good as the people you hire (not the companies you employ).
3. Hype sells, but doesn't pay the damages from law suits.
4. Outsourcing is cheaper in the short term, but won't help your case when your customers and/or shareholders sue (notice a train of thought here).
5. Whether you outsource or not, you are still responsible for the final results (just ask BP about that).
6. If you have a government entity as a client, be aware that they have deeper pockets for law suits (think just about infinite) than you do.

So how do you avoid, or at least reduce the risk of these kinds of  events from happening to you?  Several things come to mine:

• Don't depend on a single data storage source...  Keep local backups... That are checked... By your people... on a regular basis.
• Use multiple layers and types of security... From different providers... That are monitored... By your people... On a continuing basis.

Now your CFOs and CEOs may complain that this is an unnecessary expense.  I acknowledge that each tasking would require at least one full time position (and possibly multiple shifts) to ensure proper coverage and due diligence...  And that it is not expensible.  An appropriate response is to ask them if they would be willing to  insure (with their personal assets), that such will not happen.  Because while the courts can be somewhat forgiving when due diligence is performed, they will be absolutely scathing when it is not.

That is not to say that there aren't services that are trustworthy and reliable - or even that these were not, just don't put all your eggs in one basket (and keep a few hidden in the back of the frig.) lest you find yourself with egg on your face and a large mess to clean up.