We need to change the attitude and direction of the discussion around computer security. There are several things we can agree on:
- It is a difficult challenge the notion that today the bad guys generally have the upper hand;
- The problem is compounded by weakness in the:
- Technology— which, in most cases wasn’t designed with security in mind)
- Methodologies— which are all too often lacking in sophistication and woefully incomplete); and
- General level (and breadth) of expertise both at the technical and executive levels.
- We have a bad attitude toward security:
- We are defeatist in the way we approach it. We have given up. The “experts” tell us (at least that is what we hear) that the situation is hopeless and we believe them;
- We aren’t willing to apply the level of resources the discipline that are required to do it properly. Without the requisite resources, the problem won’t ever get solved;
- We (both technology and general management) aren’t willing to put the time and effort into this most important of initiatives that it deserves.
The world has changed. And, we who have responsibility for computer security haven’t changed with it. We can no longer afford to accept the cyber security world as it is. And make no mistake about it, criminals are taking advantage of these changes and our inability to adapt to them. We can change this, but it will take a concerted effort on everyone’s part. And, who do I mean by everyone:
- Consumers of computerized products. That is you and me both individually and in our roles in organizations/business entities we work for. We have got to stop accepting the current dogma that break-ins are to be expected. We must say enough, we aren’t going to take it anymore and that means:
- Getting our own acts together and putting five nines quality programs around our use of information systems and that includes: operations, software development and computer security.
If the current iteration of the story about Equifax is correct, they didn’t have processes in place to make sure that their software was up to date. This is failing at “Quality Management for Dummies” level.
- Not supporting products that aren’t secure. Telling the Microsofts, IBMs, Oracles, Red Hats and Apples of the world that they must build systems that are designed from the ground-up with security in mind.
I have always (at least since I read “The Design of Everyday Things” many years ago) believed that if I can’t figure out how to use something properly, the fault isn’t mine, it is that of the person who designed the thing I haven’t been able to figure out how to use properly. That goes doubly for safety and security related mechanisms whether they be physical or software.
- Producers of software products. These are the folks who provide the commercial software that underlie much of the computing that is done today. And, what I am going to suggest is much easier to write on this page than to make happen.
- The design and implementation of these products needs to incorporate (from the foundation up) security. We have been saying this for years, but we need to get serious about it;
- The software has to be easy to implement and use correctly and very difficult to use wrong whether it is a web browser, a general ledger, or an e-commerce site. And, this mandate needs to apply to both setting it up and using it.
While I am sure that some readers who have gotten to this point in my post will protest that we are already doing this, I would suggest that the empirical evidence doesn’t support such a contention. We are, based on the evidence, at what CMM (https://en.wikipedia.org/wiki/Capability_Maturity_Model) refers to as Level One which is characterized by chaos in the execution of our attempts to manage the environment, ad hoc attempts to manage the situation and individual heroics to keep things going.
Anyone who disagrees is either lying or incompetent. At this point in my diatribe 😊, I will concede that there are some organizations that run a tight ship. But, they are dependent on products (operating systems, utilities, development suites and packaged software) that are inherently ineffective as it relates to security management and probably as it relates to the general reliability and integrity of their products as well. And, that means that even organizations who have their own acts together can’t possibly have truly secure environments even with their own best efforts to do so.
Doing security right is a difficult thing. It takes:
- The Right Culture—one that support the attention to detail and processes necessary to build high quality environments;
- Properly Trained Personnel— people who understand both security and quality management. These are the people who develop and deploy the software, not the end-users of the systems who should not need to be experts to keep themselves secure;
- Supportive Management—(both at consumers of software products and producers of software products) who are willing to make the commitment (time, talent and money) and provide the leadership necessary to produce and implement information systems environments that are inherently secure;
- Well Designed Software— without software that is built to be secure from the bottom up and difficult to use incorrectly which also must be easy to use right.
I am tired of hearing pundits say that we need to live with bad outcomes related to computer security. We only need to live with them if we don’t change the way we think about security. I close by stating, I am confident that the impact and cost of not dealing with this situation will increase exponentially as we: 1) become more dependent on these systems; and 2) interconnect them more extensively. And, this is bad because the risk is currently pretty darned high as it stands today and the costs and impacts are already significant. So, I am extremely concerned about the future as we don’t seem to be taking this very real threat seriously enough.
Copyright 2017 Howard Niden
— you can find this (days earlier) and other posts at www.niden.com
— If you like this post: 1) please let me know; and 2) pass on your “find” to others and if you don’t, I would like to hear that too!