In the past week, I had a number of discussions about information securtity and technology in general. With colleagues, we identified few common patterns about decision-making in corporate environments – and those are case studies on how decisions shouldn’t be made. Here’s examples:
We need mature solutions. Can anybody define maturity when it comes to IT? Is Intranetware mature solution for network file and print services? Whenever you hear maturity or business acumen, or something like that, reach out for your wallet. Fact: early adoption of technology works better in most cases. That’s because you have better support from the technology partner, more features, more time before upgrade, and staff that feels good because they are working on something new.
Everyone else does it, so it must be good. This is the “best practice” fallacy. Cases in point: do not broadcast WLAN SSID; VLANs are for security; and multihoming servers (and having separate physical connections to different security zones) is a security feature. The myths don’t withstand reality check (eg scenario-based threat analysis) but they persist in minds and get embedded in assorted standards like PCI – resulting in costlier infrastructures that are more complex to build and support.
We don’t really know what we’re doing but let’s do it anyway. Tha is, decisions large and small are made based on uncertainty and lack of knowledge. Cases in point: we don’t know what this software update is doing so let’s have full system restore as the backout plan; I heard that virtual machine will have some kind of issue running our application so please use physical (the last one comes from Microsoft engineer, no details as to the issue given despite repeated questions); and we don’t know how the database server will perform when the database size will reach 4TB so let’s go Oracle RAC. If you don’t know what the software update is doing – find out by looking in the installation package. If you have concerns abouth the database performance – create performance baseline and try to come up with automated stress test of some sort; the database size itself doesn’t mean much.
Decisions should be made based on knowledge and facts.