What makes a security project fail?

I started working on a project that has no doubt, been done before. It's something no one has publicly posted information on and it's not new -- something everybody wants yet every vendor says is impossible. The problem with this project, is it can't be managed by IT security at a "sysadmin level" in production. The only role IT security will have in the project after rollout, is implementing new features. If it can't serve the customers (site owners) exactly as they want at an abstracted level, it's just another project to waste several weeks on.

Too often in security we'll do things just to please us -- to make us feel good, but what value do we really add? That's what I learned this first week of my internship.

Posted by Marcin on Saturday, June 2, 2007 in Security and Work.