“I say it’s spinach, and I say the hell with it!”

Back when broccoli was relatively new to many US consumers, circa 1928, EB White drew a cartoon for “The New Yorker” that showed a child turning up her nose at the new vegetable with the above tagline.

Speaking at the Gartner Conference this week Jamie Lewis commented, “enterprises should worry more about their intellectual property leaking out through employees or small-time hackers than their entire networks crashing from attacks of organized cyberterrorists.”

What do the two things have in common? That companies are still making the same mistakes with their approach to risk management that they have been for years. Focusing on the latest threat, it’s cyberterrorists today, but it was the gnarly, evil hacker back in the mid to late 90′s.

When I was doing audit work companies used to ask me, and the teams I worked with, to check their firewall for vulnerabilities while ignoring the rest of their overall security framework. Unprotected PCAnywhere access to a desktop through a phone line? Insecure connections to corporate divisions in other countries? Forget about it. It wasn’t cool and many auditees didn’t want to hear about the more difficult, and less ‘glam’ vulnerabilities to their data. “Just check the firewall.”

Broccoli isn’t spinach and a company’s greatest threat has and does come from insiders.