Mi2g and the SANS Top 20

First we have to get this out of the way...I have been a contributor to the SANS Top 20 for the last 4 years. I think it is a great piece of work, with a very specific focus...to help system administrators focus their efforts.

Which brings us to Mi2g...http://www.mi2g.com/cgi/mi2g/press/221105.php

This has been headlined in at least one place as "Mi2g disputes SANS Top 20". I don't see it that way at all. I will not get into what reasons Mi2g has to release this article. I am sure they did it for purely altuistic reasons. Once you filter out the sensationalism and obvious self-promotion, the article is bang on. Security is not a technical problem, it is a system that starts with people, policy and processes. Technology is merely the means to support the 3Ps.

The interesting thing is that during the deliberations for this years Top 20 list, we talked about all of the human side of the security equation, and whether or not to include it in the list. But in the end we decided that that wasn't the point of the project.

It is my fervent hope that small companies and novice admins will address the human side of the equation, but if they don't, the Top 20 is a great start.

Rick