Back to Security Basics

Cisco’s recently published annual security report is not what you’d expect from a vendor of leading edge technology products. If you’re looking for a state-of-the-art analysis of emerging security technology, you’ll be disappointed. The report opens with an analysis of 21st Century trends but presents recommendations based on elementary security principles from decades long past. In fact there’s more focus on physical security, natural disasters and people than there is on technology. To me it’s further evidence of the current evangelistic, back-to-basics trend.

And that trend is not unexpected. There are three underpinning drivers. Firstly, it’s a consequence of a new focus on human factors arising from the growing empowerment and vulnerability of IT users. Secondly, it’s a necessary correction for security budgets which have failed in recent years to allocate sufficient resources to people-focused controls. But thirdly, it’s also a sad reflection on the continued lack of initiative and imagination to develop effective new technical measures to counter the increasingly sophisticated portfolio of threats.

The latter point is a concern that should not be overlooked. We need 21st Century solutions to counter emerging threats. You can’t simply dust down old solutions. Security education is an essential line of defence but users and customers are human. They will never be completely reliable, and they simply can’t address invisible or high-bandwidth threats that might be lurking in the infrastructure. We need new thinking and solutions, not old platitudes, from our leading vendors.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

While there may not be a patch for stupidity, it is probably unfair to blame users when we put them on systems and networks that are inherently flawed in their design, in the security sense. Guy Kawasaki makes an interesting point when he talks about the "Art of Innovation". He says that when a general population is tasked with something, they use what they are familiar with. Further, he says that those that have had success on the first curve are unable to comprehend, let alone embrace the second curve. If that is the case, one might have more luck asking St. Nick to leave a security silver bullet under the tree tonight than asking "leading vendors" for new thinking and solutions in order to come up with 21st century solutions. I would contend that for any vendor to provide a new and effective solution it would have to actually address the design flaws that are the root of the problem in the first place, rather than simply milking the cash cow. If the "leading" vendors have not done that by now, how can we expect them to start now?
Yes you're right. Innovation is the key, but most vendors seem to have hit a brick wall. We need radical new thinking from new players. You can't scale up or speed up manual or deterministic solutions to meet the future security challenges from high speed, large scale networking. Automated, real-time security solutions are the only way forward. Yet after decades of university, government and vendor research, we only have a handful of crude solutions.
Who is to say that the entrenched vendors will not form barriers to those new players, as security sales is a zero-sum game? Fortunately, we have a few persons, such as yourself, (keep up the nice job, by the way), playing a role in the media to give a balanced opinion on such matters. That aside, perhaps one should not assume that deterministic solutions can not be made to scale to distributed enterprise requirements. I see similar statements frequently made on the basis of current technology. True innovation might actually enable it, right? :)