Beware Publicity-Seeking Security Gurus

For the past few days I’ve been reading some strange reports coming out of a Gartner Security conference in London. Enough to make me wonder whether the speakers are on the same planet as the rest of us. I’d be highly interested to hear from anyone that attended this event. Surely it couldn’t have been as daft as the media coverage suggested?

The first story I spotted was a plea from John Pescatore, a Gartner analyst, for organisations to spend less on IT Security. I’m speechless. In my experience it’s extremely rare for an organisation to overspend on security. It can happen occasionally, for example following a major incident. It also used to happen in some arcane areas of Government many years ago. For example when millions of dollars were spent on unnecessary Tempest protection. But I have to say that these cases are exceptions and the general picture has been a widespread under-spend in most of the vital areas of security, including education, architecture, identity management, development, testing and certification audits.

The second story that caught my eye was a remarkable claim by Joanna Rutkowska, a security guru with several years experience, who thinks that “major software packages such as operating systems could be secured through code auditing and formal verification – but it may take as long as 50 years before this is possible”. A reassuring sentiment but as Keynes pointed out, in the long run we’re all dead. Yet there are many practical, sensible steps that can be taken today to secure systems by applying sensible principles and controls for architecture, coding, testing and maintenance. Formal verification is an interesting aspiration but a bit of a wild goose chase.

So ignore these claims. Spend more on security. And encourage your developers and vendors to develop secure systems. You shouldn’t need a security guru to tell you that.