Late last week, a MacBook Air was cracked at the CanSecWest security conference as reported by Robert McMillen here in InfoWorld. The Web discussions about it show just how silly this whole security discussion has become.Some pundits delighted in the fact that Apple’s premier laptop was the “first to fall” again this year. Others noted that many of those attacking the systems were using Macs to do so. Others notes that Vista fell second and Ubuntu Linux was not cracked during the event.From the perspective of a CIO who does the necessary analysis, none of these actually matter. There are too many variables. I think the good news was that nobody cracked any of the systems by attacking them from the network. That’s good news for the direction of security overall. As I mentioned in The crack on the OS X used a previously undiscovered bug in Safari and a visit to a web site that exploited it. The crack on Vista used Adobe Flash and a compromised Flash movie. Safari runs on Windows and Flash runs on OS X. Most Windows and OS X systems are likely to have Flash installed, for instance, and the hole may be in both versions of Flash. Regardless, these kinds of holes are likely to be found forever (although products such as those from Mu Security for network protocol robustness testing and Veracode for application security analysis should be applied to all products before shipping them), so understanding the typical attack vectors and educating staff on mitigating the risks is the only real solution. Of course, you must also protect your infrastructure from the possible compromise of systems. This is where policy-based networking comes into play. That’s why we review the evolving world of policy management and enforcement (sometimes called NAC, but that’s a hyped misnomer).Anyway, don’t buy into the mindless “security competition” masquerading as news. Focus on your users and getting them as productive as possible while managing the risks. It’s a balancing act, and it’s IT’s job to do it. Careers