I have worked in both public and private sectors as well and also cannot clarify much on the general question which was asked. I would suggest taking a look at statistics on money spent on security initiatives and compare that to actual security implementations and understanding of security. In that regard, the public sector as a whole is behind the curve, even with the advances made in the DoD, NSA, etc. While there is a lot of policy regarding security in places like state government and higher ed, there is not a whole lot of understanding or review of those policies at the bottom tiers of the organizations.
On the other hand, the private sector has an even greater difference in this area. They are not required to invest in security unless they are facing mandated policies such as HIPAA, SoX, or PCI. Thus, most of the time I've seen large companies fall into the same practices as the public sector organizations - lots of policies with little understanding or implementation of the policies at the bottom levels. Typically when I've been brought into a private sector organization as a security consultant, it's after a breach, after the forensics and law enforcement (I'm not a forensic analyst), and after a whole lot of money went down the tube. Another issue to consider is that the majority of small businesses (< 10 employees) are not as well connected as some of the medium to large organizations. Thus, they have fewer attack surfaces and you could consider them to be more secure because of that. As they grow, they don't tend to spend the newly earned profits on security and a lot of holes open up in that transition. So, at a high level, government has a more secure "look" if you examine policies, but a less secure environment which does not conform to the policies. Private sector has fewer policies, but the potential for a more secure environment because of the agility and money they have to invest in security implementation without policy establishment. You can take it from there as to whether adherence to policy is more secure than implementation without guidance. Ben Floyd Senior Consultant, Improving Enterprises, Inc. [email protected]<mailto:[email protected]> On May 4, 2011, at 11:16 AM, Jon Schipp wrote: For those that have worked in both sectors or for those that are familiar with the relationships, which tends to be the most "secure". (I'm leaving a partly-open interpretation of the word). In other words, as a generalization, which area seems to take computer and network "security" more seriously, or who tends to do a better job? I'm aware that each have different threats, but I'm trying to look at this from a high-level macroeconomic perspective. Most people familiar with economics and history know that the public sector tends to always lag behind the private in various areas due to the private sectors price-system and its profit/loss mechanisms. I'm assuming that this is the case for IT security as well. What do you guys think? From your experiences what can you conclude? Generalize. Also, does anyone know if there have been studies on this? Thanks! -- - Jon -- ------------------------------------------------------------------ Fax & VMB: 206-984-1989 Dubois County Linux User Group - http://www.dclinux.org<http://www.dclug.org/> BloomingLabs - http://www.bloominglabs.org<http://www.bloominglabs.org/> ISSA-Kentuckiana - http://issa-kentuckiana.org<http://issa-kentuckiana.org/> GPG Key ID: 810903CB Key fingerprint = 0069 ED69 EABB DF84 5983 AD3C 6C20 BEFD 8109 03CB <ATT00001..txt> _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
