I was reading through an article last night about the 25 greatest blunders in technology history and was happily strolling through memory lane (what are Palm Pilots, PS/2s and Apple Newtons anyways? :p) and then got quite a surprise at the very end of the article. The number one technology failure of all time according to the article’s author (Neil McAllister) is … security!
First off, Neil is right. From a technology standpoint, security has failed. Neil argues that technology was built on top of an already insecure foundation, and so the result of anything on top of that foundation will be anything but secure. However, I would like to present some additional reasons why security may be the biggest wet blanket of all time. Read on.
In my opinion security is not a single “thing”. Security has to do with much more than exploited vulnerabilities, hackers, and missing patches. This beast we call security actually has three heads. They are:
It’s when all three of these work together is when security is most effective. Unfortunately, neither of these three have been playing well together lately, if ever. Neil did a great job covering the technology piece already, so I’ll talk about the other two. Also, each one of these aspects of security is a long discussion in itself so I am just going to share what I think is the top failure in each of the two remaining categories and would love to hear your thoughts too.
My Top People Reason Why Security Fails: Security Divas
A friend of mine, Steve, put it it best one time when we were hanging out in a bar after a full day of delivering presentations. He wisely noted “Security unfortunately has become something that people try to own, not something you are responsible for or contribute to. People start thinking they are the solution, rather than part of it.” Steve wasn’t using elite-speak (by “own” he didn’t mean ”0Wn” as in compromise or gain root access on), he meant that security was something that people tried to claim as theirs, especially the successes, but none of the failures. These people tend see themselves not as a cog in the wheel, but rather they are the wheel. Their solution/service/thing-a-ma-gig as the only possible security allowed in their eyes. Any attempt not blessed by them to enhance or further security gets elephant stomped. To protect their golden egg they will set political fires behind your back and scratch and claw your face like a cornered cat. Their egos are often highly inflated and they are clouded by their own agendas. They are the few rotten apples that ruin the rest of the basket. I call these people “security divas“.
It’s ironic that the users of security (desktop users, administrators, and grandmoms) get blamed for the failure of security. Some of the practioners (security divas in particular) could share some of that blame if you ask me.
My Top Process Reason Why Security Fails: Complexity
When I was young, I had problems with very basic math and nearly failed my first year of highschool (ironically I graduated with honors in mathematics and computer science from the University of Waterloo in Canada). The notion of negative numbers was just beyond me for the longest time. My parents would tell me over and over again “you’re making it this more complicated it has to be.” That perfectly describes today’s security processes. Something that should be simple to solve, is over-thought and consistently complicated. “Attempt by W32.TrojanDropper.A-B/32_884.9 to access protected memory segment located at 0x45ED3FAC. What would you like to do?” <– huh? How about letting the user know that “A compuer virus tried to infect your computer and we intercepted it, stop it or allow it to do so?” Or how about not even bothering the user at all and just taking care of it? Give them the satisfaction that this piece of software they bought for $39.99 will make their life easier, rather than more complicated with obscure and cryptic warning messages? Today’s security processes, approaches and especially solutions etc. are often too complex and hard to use that even security experts have trouble with them. How can we then expect non-security experts to use them? Psss … those non-security experts end up not using those processes, approaches or solutions. Start, Control Panel, Add or Remove Programs has to be one of the most common security key sequences by now.
There’s genius hidden in simplicity and my gut feeling is that someone will come up with a series of security solutions that are so simple and elegant that even if the wrong people are performing security they can still arrive at the right results. Until then, security will continue to stumble and get listed as a failure on lists such as Neil’s.
So there you have it, my top reasons for why security fails today are security divas and unnecessary complexity. I’ll talk about my take on solutions sometime down the road. What are some of the reasons why you think security has failed?