In his keynote to the RSA 2009 conference Brian Truskowski, general manager of IBM's Internet Security Systems (ISS) told delegates that despite all the improvements in security technology the human element was still the key weakness in any system.
“We need to admit humans will always fall for a good hoax, then we need to accept it and move on,” he said.
“Humans are an infinite threat to security. This is why security has moved to the machine/human interaction point, chiefly the browser and the application.”
He gave the example of Kevin Mitnick, one of the most (in)famous hackers of all time. Mitnick himself admitted that his success was down less to his computer knowledge and more down to the ability to fool people with social engineering.
He said that for security to be effective it needed to be built into the enterprise from the ground up and be responsive. Too many vendors focused just on blocking one attack vector when a more flexible approach was needed.
The situation was similar to the Titanic he said. The ship builders focused on strength, speed and luxury and ignored maneuverability, which proved fatal for many of the passengers.
“Too many chief executives see the iceberg coming but can't do anything about it,” he said.
Companies should focus on building flexible network security and consider offloading part of the business to managed security vendors he continued.
There were simply not enough good personnel available for hire to manage a secure IT department and so companies would have to go to specialists.