… the more they stay the same?
Adam at Emergent Chaos takes an intriguing, quick look back at a book from 1977, comparing two similar-sounding stories about insecurity at the IRS, one from 1977 and one from 2008. He uses these two examples to assert that "nothing has changed." I am not so sure.
The problem with both of these examples is that they simply cherry-pick opinions about insecurity, so we have no real scale on determining whether the IRS has perhaps gotten better or worse at this whole security thing. Absent a perfect record, which I believe is impossible, the two stories could still be told and yet represent huge, significant, important gains in the IRS security profile. Or not.
At the very least, we know the risk profiles have changed drastically -
technology and access are completely different, the nature of the
content is (likely) different, the number of participants is different,
etc. We also know that spending on security has increased
significantly, but perhaps not proportionately. In addition, our frame
of reference typically compares single entities to their peers in both
government and industry and those things have changed.
This is a great example why we need better metrics – to determine whether security programs have gotten better or worse, versus the always-available anecdote supporting one position or the other.
phthththtbtbbtbtbt!
More seriously, 30 years we still have no useful industry wide metrics. QED, nothing has provably changed, and thus, in the most important way possible, nothing has.
Well, over that time, the IRS has moved from the mainframe to distributed network computing connected to the internet, so things are probably worse now, compounded by the fact that so much management today is “incompetence by committee”. Nah, I don’t think there is anything to worry about.