Is security too hard?

Kent asks for my take in this post. Here is my answer...

My only comment is that security is difficult, but it need not be overwhelming. As you know, at Microsoft we use Active Directory. That means one password for use on our corporate network. We augment that with physical security in the form of smartcards when we access our network from the outside. This solution has been extremely efficient and I don't find that our users experience much difficulty with it.

As far a home security goes, install a firewall. Use Windows Update to update machines. Make sure that Wep is enabled on your wireless network and change your Wep key occasionally. Use antivirus software. These things should be as commonly recognized as what you need to do to stay secure as putting on a seatbelt when getting into a car or putting on a hardhat at a construction site.

If the security measures that users need to take are so difficult that they are trying to circumvent these measures to do their work, then something needs to be done to either simplify the system or to retrain the users so that they understand their responsibility in ensuring the security of corporate assets.

Security as an issue isn't going to just go away. It gets better over time, but in the end, you have to manage risk in the most cost effective way that you can.