What IT Security Can Learn From the BP Oil Spill

This week, representatives of BP told Congress that the massive Gulf oil spill was not their fault.  BP claims the blame should be placed on another company who produced a key safety device that failed. That company, of course, claims yet another company is responsible for doing poor quality work.
So how does this relate to IT security? Looking at IT security from the BP perspective, organizations would almost never actually be responsible for a security breach. For example, if malware gets downloaded via a browser exploit left un-patched by Microsoft, would the organization be able to testify to Congress that they were not responsible and Microsoft was actually to blame? Regardless of one’s feelings towards Microsoft, certainly Internet Explorer cannot be blamed for all security breaches.
BP’s blame game helps us relate risk to role of IT security. Regardless of whether or not the equipment used was faulty or contracted, agents did not follow the proper safety procedures, ultimately BP carried all the risk and responsibility associated with the oil drilling. The same holds true for IT security: organizations simply cannot rely upon other vendors to supply vulnerability free products. Whether it is browsers, operating systems, databases, custom applications, or network equipment, they can never be proven to be 100% secure. They are only as secure as their next vulnerability.
The lesson from the BP oil spill is, that despite the (continue reading...)