Real Security?

An anonymous reader writes "A recent article at Ask Tog raised the common argument about how much security is good. Tog says: 'I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.' Is this the case? Are we increasing security too much, so that the users circumvent it? Should we be allowing simple passwords?"

Business Practices and Security

[randall_burns]

My experience is that many companies have business practices that stress their security procedures to the extreme. For example, look at Enron. Virtually their entire IT staff were H-1b/L-1 workers from places where they weren't able to do background checks. They had a practice of hiring closeted gay accountants(so they could be blackmailed into doing what management wanted). Then this bunch of managers with degrees from Westpoint and Annapolis(yes, many of their upper managers were from those schools with their honor traditions) wonder why things went sour
(and at least $3 billion of the 12 billion in losses wound up in India).

The first key to decent security is building a community in which people have at least a degree of trust and respect for their leadership. If you have that, good security practices can go a long way. If management is playing a negative sum game with their staff and the larger community, sooner or later someone more devious and less honest is going to show up and take over that game. Those that live by the sword die by the arrow.