It hadn't occured to me until I read this article that I have never heard of a security breach at Google. Sure, people game the search results system from time to time, but that's not the same thing; in fact, it's simply one end of a long sliding scale of SEO marketing efforts. No, I'm talking about honest to goodness, black-hat intrusions. Google has thousands of servers, hundreds of exposed services, and increasingly large numbers of staff to make passes at. You have to imagine they are attacked at least as frequently as any other sizeable corporation, which is very frequently... thousands of times a day in most cases. If they've managed to avoid having even a trivial penetration, that would be pretty impressive.

We don't know the exact numbers, of course, and Google is famously tight-lipped, but unless they are risking real disaster and legal action by covering up some incident, it sounds like their security is pretty good. A tantalizing article in Australia's IT News gives us a glimpse of what it takes to run a secure IT infrastructure on a massive scale.

It's not magic, unsurprisingly; speaking at RSA's security conference, Scott petry of Google's recent mail-security acquisition Postini describes steps taken to create a culture of security: mandatory security training, stock security code libraries, inside and external code review. Although it wasn't mentioned, I also have to think that Google's "we'll release when we are ready" approach to project management also represents security as a cultural value; no compromises need be made to meet a ship date. Getting the code right takes precedence over getting it to market.

There are important lessons there not just for coders, but for any IT organization. Too often I see CIOs or other executives who go out and buy the shiny security software of the day, or hire a top-flight security consultant, and expect that step to make their organization secure. The reality is that security has to be a cultural value in order to be effective; the bad guy only has to get it right once, the CIO has to get it right every time. You can't do that if not everyone in your organization and supply chain has a commitment to being secure.