It's time to admit security is hard, and to stop blaming the victims for being human

Rich Mogull, Analyst & CEO, Securosis, Contributor

July 7, 2011

3 Min Read

We hear it time and again in various articles and reports: "The breach could have been prevented by following common practices."

Sounds simple, doesn't it? All we have to do is focus on the basics, and the bad guys will move on to a softer target. All we need to do is train our developers to avoid SQL injection and cross-site scripting, and the world will be a better place. We just need to upgrade to the latest version of XYZ, keep our systems patched, and our children will sleep better at night.

I mean really, it's only the idiots and fools who are getting hacked -- the ones who reused a password, didn't scan their Web site code, or let their users click on a bad link in an email.

It isn't like we lack for checklists, standards, or frameworks. From ISO 27001 to PCI to BSIMM, we have no shortage of guides to security nirvana. Just follow these, and you should be able to stop all but the most determined attackers. Simple, isn't it?

Except simple doesn't scale, for any given value of the scale. Are you a small shop with only 10 employees and systems to manage? Woe on you if you stupidly spend more on the GUI for your product than the security within it. A large enterprise? How DARE you miss a single targeted phishing email and let a user open the attachment.

We security pundits, researchers, and vendors tend to forget how hard real-world operational IT is. If you're small, you can control more, but you have fewer resources at your disposal. If you're large, you still struggle for resources, but now at an enormous scale. It's a no-win situation because no one can be perfect all the time. Or even some of the time.

Take Web applications. In small companies, you can't really afford third-party secure development tools, and at best might be able to pay for a scan or two. Yes, there are freeware tools, but nothing is free when you have to pay someone to learn it. Train your developers? Yes, you should invest there, but developers are humans and prone to error, and even minimal training hurts the development cycles you need to sell the product and feed your families.

Are you larger? You might be able to afford every tool in the book, but now you have more applications and more developers to manage. Even something as simple as weeding out SQL injection is nearly impossible for a multinational with hoards of developers, contractors, and outsources. Nothing is ever simple at scale.

I'm not claiming security is impossible. I'm not saying we should give up. And, believe me, I'm not out defending mediocrity. But I am saying we need to recognize that it's hard at all levels. That even the easy parts are nearly universally difficult in practice.

This isn't one of those articles with answers. Sure, I can talk all day about how users need to operationalize security more, and vendors need to simplify, consolidate, and improve functionality. But in the end those problems are every bit as hard as everything else I'm talking about and won't be solved anytime soon. Especially since the economics aren't overly favorable.

But we can recognize that we rely on complex solutions to difficult problems, and blaming every victim for getting hacked isn't productive. Especially since you're next.

Security is hard. It's even harder at scale. And we need to stop pretending that even the most basic of practices are always simple, and start focusing on how to make them more effective and easier to manage in a messy, ugly, real world.

Rich Mogull is is founder of Securosis LLC and a former security industry analyst for Gartner Inc.

About the Author(s)

Rich Mogull, Analyst & CEO, Securosis

Contributor

Rich has twenty years experience in information security, physical security, and risk management. He specializes in cloud security, data security, application security, emerging security technologies, and security management. He is also the principle course designer of the Cloud Security Alliance training class and actively works on developing hands-on cloud security techniques. Prior to founding Securosis, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator. Rich is the Security Editor of TidBITS and a frequent contributor to publications ranging from Information Security Magazine to Macworld. He is a frequent industry speaker at events including the RSA Security Conference, Black Hat, and DefCon, and has spoken on every continent except Antarctica (where he's happy to speak for free -- assuming travel is covered).

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights