Friday Summary: November 13, 2009By Rich
I have to be honest. I’m getting tired of this whole “security is failing, security professionals suck” meme.
If the industry was failing that badly all our bank accounts would be empty, we’d be running on generators, our kids would all be institutionalized due to excessive exposure to porn, email would be dead, and all our Amazon orders would be rerouted to Liberia… but would never show up because of all the falling planes crashing into sinking cargo ships.
I’m not going to say we don’t have serious problems! We do, but we are also far from complete failure. Just as any retail supply chain struggles with shrinkage (theft), any organization of sufficient size will struggle with data shrinkage and security penetrations.
Are we suffering losses? Hell, yes. Are they bad? Most definitely. But these losses clearly haven’t hit the point where the pain to society has sufficiently exceeded our tolerance. Partially I think this is because the losses are unevenly distributed and hidden within the system, but that’s another post. I don’t know where the line is that will kick the world into action, but suspect it might involve sudden unavailability of Internet porn and LOLCats email.
Those of us deeply embedded within the security industry forget that the vast majority of people responsible for IT security across the world aren’t necessarily in dedicated positions within large enterprises. I’d venture a bet that if we add up all the 1-2 person security teams in SMB (many only doing security part-time), and other IT professionals with some security responsibilities, that number would be a pretty significant multiple of all the CISSPs and SANS graduates in the world.
It’s ridiculous for us to tell these folks that they are failing. They are slammed with day to day operational tasks, with no real possibility of ever catching up. I heard someone say at Gartner once that if we froze the technology world today, buying no new systems and approving no new projects, it would still take us 5 years to catch up.
Security professionals have evolved… they just have far too much to deal with on a daily basis. We also forget that, as with any profession, most of the people in it just want to do their jobs and go home at night, perhaps 10% are really good and always thinking about it, and at least 30% are lazy and suck. I might be too generous with that 30% number.
Security, and security professionals, aren’t failing. We lose some battles and win others, and life goes on. At some point the world feels enough pain and we get more resources to respond. Then we reduce that pain to an acceptable level, and we’re forgotten again.
That said, I do think life will be more interesting once losses aren’t hidden within the system (and I mean inside all kinds of businesses, not just the financial world). Once we can tie data loss to pain, perhaps priorities will shift. But that’s for another post…
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian and Martin on Network Security Podcast 173.
- Adrian’s Dark Reading post on Database Cell Encryption.
- Some of Rich’s work is in the brand new Macworld Snow Leopard Superguide.
Favorite Securosis Posts
- Rich: Dave Meier’s post on security and location based services. This challenged my existing beliefs and forced me to separate the issues of security and privacy. Can’t ask for much more out of a post (or an intern).
- Adrian and Meier: Compliance vs. Security.
- Mort: Always Assume
Other Securosis Posts
- 2010 Services Update
- Mobile Phone Worms Don’t Need Carriers Anymore
- Two Random Security Rules
- Google Dashboard Comments
- Layman’s view of X.509
Favorite Outside Posts
- Rich: Andy the IT Guy on building a program from the ground up. I think I might have to do a full response to this one.
- Adrian: SDL for Agile Development on the Microsoft Security Development blog.
- Chris: Paul Vixie on the subversion of DNS.
- Mort: Practices: Proven vs. Standard?
- Meier: Unpatched Windows 7 Bug Crashes Windows - Microsoft needs to give up the backwards compatibility and stick a fork in it – it’s done!
Top News and Posts
- WordPress security patches out.
- HP buys 3Com – does this make them a security vendor now? (On the networking side – they already had application security).
- Mike Bailey discovers a flaw in Flash same origin policy enforcement.
- The Dark Side of the Cloud.
- Shocker: None of 16 AV products tested rated Very Good.
- Awesome: Hacked Roombas Used to Play Pac-Man. Where do they find the time?
- Apple Fixes User Account Bug.
- Marcus Ranum at TED.
- Martin on the ethics of spilled COFEE.
- Adam O’Donnell joins Immunet.
- A Security Catalyst post on what it’s like for new people entering the security profession.
- Researchers pushing smartphone security to the carrier.
- Google Latitude Gets Creepy with Location History and Alerts – Goes with Meier’s theme this week.
- Animated Network Packet Structure Visualization – Not security related exactly, but interesting.
Blog Comment of the Week
This week’s best comment comes from Mike Rothman in response to Compliance vs. Security:
Wow. Hard to know where to start here. There is a lot to like and appreciate about Corman’s positions. Security innovation has clearly suffered because organizations are feeding the compliance beast. Yes, there is some overlap - but it’s more being lucky than good when a compliance mandate actually improves security.
The reality is BOTH security and compliance do not add value to an organization. I’ve heard the “enabling” hogwash for years and still don’t believe it. That means organizations will spend the least amount possible to achieve a certain level of “risk” mitigation - whether it’s to address security threats or compliance mandates. That is not going to change. What Josh is really doing is challenging all of us to break out of this death spiral, where we are beholden to the compliance gods and that means we cannot actually protect much of anything. Compliance is and will remain years behind the real threats.