11 Truths We Hate to Admit

I'm not sure if it's an artifact of living too long in the cosmic center of the universe here in Boulder Colo., but I have an aversion to self deception. While there's nothing wrong with a looking in the mirror and seeing yourself a few pounds lighter on occasion, an infection of self-deception in an industry often feeds bureaucracy, eats budgets, and rarely ends well.

The IT security industry is far from immune. Like every other industry, security professionals are full of rampant truths we all know, but few want to talk about.

All of the 11 points I'm about to make are both obvious and true. There aren't any secrets here – just things we talk about in bars after a conference and don't normally write down. These are in no particular order:

1. Signature based desktop antivirus is an addiction, not effective security.

AV is often the single biggest security expense in an organization, yet it's one of the least effective. Gateway AV is still a reasonable investment to filter out known garbage, but desktop AV needs to seriously improve its heuristics and other non-signature techniques if it is to protect us.

Independent reports indicate current AV products are full of gaping holes, and many organizations experience extensive downtime from bad signatures and poor performance. At least today's malware doesn't grind your computer to a halt at noon every Wednesday.

2. The bad guys beat us because they're agnostic and we're religious.

The bad guys are always innovating for competitive advantage, but innovation isn't something large organizations or industries do well. We get wrapped up in our own little religious battles over PKI, IDS, standards, AV, whoever we work for at the time, and what's worked for us before. We become too personally tied to pet projects we're experienced with – and can't let go of.

3. Antitrust concerns force Microsoft to weaken security.

Host security companies take out full-page ads in the Wall Street Journal and threaten to go to court when Microsoft adds security features that might tread on their turf. Thanks to some poor past behavior by Microsoft, these tactics work. But if it weren't for the antitrust problems of the past, we'd all have free anti-spyware and AV in Windows, forcing those other companies to compete on merit.

4. Vendors are like politicians – they lie to us because we ask them to.

We, as users, often set totally unreasonable expectations and prefer our vendors to lie to us rather than tell the truth. When we require something in an RFP we'll never need or demand performance well beyond our requirements, we force vendors to cut each other's throats as they exaggerate to make us happy. If they're the abusers, we're the enablers.

5. We're terrible at talking to, or understanding, those that fund us.

I'm far from the first pundit to complain that security people suck at talking to the business, but we do. We consistently fail in both demonstrating our value and accounting for the needs of the business. The very idea that we are separate from the business is an anachronism itself. Security doesn't exist in a vacuum; our role is to allow our organizations to take as much risk as they want to take in the safest way possible. We don't just need to learn "their" language and methods – we need to translate our needs to their needs, and vice versa.

6. Security researchers need to grow up.

Security research, including vulnerability research, is possibly one of the most critical factors in the success or failure of IT security. Yet all too often, we see even the most professional researchers grandstand, get into pissing matches about who should get the credit, or just descend into worthless ego wars in public forums.

No, it's not that anyone else really behaves any better. But researchers won't gain the credit or influence they truly deserve until they start taking the high ground, destroying the fuel their critics use to demean them and their impressive work.

7. Security companies make more money when there are more incidents.

The value of security is rarely apparent until we've experienced the very pain it's designed to prevent. Or, at least until the person next to us has. I've written about security market drivers, and the single fastest way to grow a security market is to have a product ready when a massive exploit hits. Preferably, a day-stopping painful exploit.

8. Network security is the result of a mistake, not an industry worth perpetuating.

If it weren't for poor host security, insecure protocols, and no concept of data security besides the occasional encryption, we wouldn't need network security. It should be the goal of every security professional to make network security irrelevant. It will take generations, if it's even possible. But we should never forget that network security only exists because we've screwed up everything else.

9. Disclosure is dead.

We're tired of the debate. It hasn't evolved in years, and the reality is that companies are going to disclose whatever the heck they want.

10. Momentum will destroy us, until it doesn't.

We're faced with the nearly impossible task of operationalizing something that isn't static. While we need efficient security, we also need to respond to the business' adoption of new technologies, and the bad guys' creation of new techniques.

We're constantly pressured to improve efficiency and define metrics that might be worthless in one or two years. Our response? All too often, it's either to ignore the changes around us, or try to prevent the change within us. We need to balance the need for operationalization with the need for innovation.

11. We can't fail.

I'm not expressing a call to arms to inspire you; it's just a simple fact that we, the people who practice security, will never completely fail. If things ever get so bad that IT security affects how society functions, we'll get all the support and funding we need (after the first few heads roll). Without moderately effective security, the information engine that drives our economy and society no longer runs. The bad guys will never win the war, because if they do, there'll be no place for them to buy bread, never mind HDTVs.

If you have feedback on any of these truths – or want to add to the list – please post a message to the board attached to this column. I'd love to hear your views.

— Rich Mogull is founder of Securosis LLC and a former security industry analyst for Gartner Inc. Special to Dark Reading.