[shawnhermans]

What the author does not seem to grasp is security is fundamentally about managing risk. Consider his statement that "IT executives seem to break down into two categories: the 'early adopters' and the 'pause and thinkers.' Over the course of my career, I've noticed that dramatically fewer of the 'early adopters' build successful, secure, mission-critical systems." His measure of success is on whether or not the the software is secure and not whether or not it fills a valid need.

Consider two divisions within a large company. One is the research and development division and the other is finance. I want the R&D department to be the early adopters and I want them to take risks. They will be the early adopters. On the other hand, I want the finance department to be locked down.

Consider the same logic as applied to the typical startup. A startup that is focusing most of their time and energy on security is probably playing the wrong side of the risk equation. They have more to risk by delaying their product than they do making sure it is locked down. On the flip side, an established company like a bank or insurance company has a lot more to lose and should focus more on security.

[NickNameNick]

I think M j Ranum [1] probably has an exceptional understanding of risk.

In fact all of his points - the 6 dumb ideas - are places where he's pointing out that people are widely misinterpreting the risks, and putting their time and effort in the wrong place as a result. Most of the closing paragraphs for each point are suggestions on how to better prioritise your time and effort so you can get on whatever make you money.

And wrt your second paragraph, if we consider most companies, there is a 'default permit' on the network, between the workstations in the finance department, and the r&d department, unless they're in physically separate locations, and often even then. The workstations in the finance dept will almost certainly run any software at all, unless it's caught by the anti-virus (default permit, and enumerating badness). You're right that they should be locked down, but are they?

[1] http://en.wikipedia.org/wiki/Marcus_J._Ranum

[digi_owl]

That is a recurring trait in infosec circles. A kind of black and white thinking that can easily slip over into paranoia. Something they seem to share with military planners etc.