Is IT Security dead?

If the Gartner IT Security Summit is the best the industry has to offer, then IT Security is dead. I’ve come away from it not merely disappointed, but frustrated. Frustrated that I’ve been sitting through presentations from speakers reciting the same old woe: lots of malware – we know; financially motivated hackers – no shit Sherlock; changing risk environment – yawn. It’s like watching a weather forecast telling you what the weather has been doing. It rained today. Really? And there was me wondering what that cold, wet, miserable stuff falling out the sky was.

And the answer to all these ills? Buy software! Buy hardware! Buy some more over-priced, under-specced rubbish that you’ll never fully implement, never be able to properly integrate into your network because you’ll not bother to send your techies on the training course, and you’ll forget all about it after three months because nobody knows what it’s really doing.

Look in the newspapers: today we read about a camera sold on eBay containing images taken by MI6, yesterday we read about somebody who purchased a VPN device from eBay, switched it on and was automatically connected to a local government network. We’ve had secret documents left on trains, stolen laptops, lost disks, lost memory sticks and so on. What IT security device is going to solve these problems? Answer: none. So why do we keep on putting up with listening to this junk about IT being the solution.

Some people get it. For example, Martin Smith and David Lacey have been pushing out the message for years that awareness and training are the foundations of good security. And it’s cheap. Much cheaper than buying over-hyped and over-priced Data Loss Prevention software, for instance. But I’ll bet you’ll have an easier time getting the DLP spend past the budget committee.

I wont deny that we need to have decent technology but don’t kid yourself that it solves problems. Putting up an umbrella does not stop the rain. And here’s the real crux of the matter. Seminars such as this Gartner summit are talking to the wrong people. Telling IT Security people that they need to have better security is like showing porn to a sex addict.

There needs to be a business security summit, with not a single techie in the room, where presenters who can do more than draw graphs on PowerPoint and read bullet points off their slides present to an audience of real business influencers and get the right messages across. I’m up for presenting at that one but who could get the marketing right to draw in the right people?


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

It often surprises me how many businesses also completely miss the point. Basics like using role-based access control and disabling old employees accounts are forgotten, and instead time is spent investigating so-called incidents reported by kit that never got configured correctly and therefore is about as much uses as a chocolate teapot. Basically, this means low-tech but very common breaches of security happen on a daily occurrence with no intervention. The happy mixture of over-reliance in out-of-the-box kit and the epidemic of 'i paid £xxxx for this kit and i still got infected/compromised etc - i want answers from the kits vendor' causes even more problems; when something noticeable does happen (that old web box with an ancient un-patched version of PHP gets compromised) you find people i) blame everyone else (outsource the kit, outsource the problem mentality) and ii) are in such a mess that they don't actually response to the incident. More and more I think the problem is all to do with people being accountable, and sensible. Accountability is a dirty word in IT, especially security, but I don’t think IT is 100% to blame. No room exists for ‘problems’, so IT spend too money on bad kit that doesn’t help and forget the basics because they are scared about what will happen to them when these ‘problems’ strike. For me, security needs a major shake up as so many people are getting it wrong. Build from the bottom (physical security, RBAC, AUP’s, user training) up, not from an un-trained IDS/IPS down! Also, people needs educating about ‘problems’ in IT, and that the sooner we accept they will happen the sooner we can respond to these incidents effectively and, very importantly, learn from them. This will allow people to become accountable without putting their heads on the chopping board every 5 seconds.
Thanks Tom. I completely agree. Education is key and a shake-up of both the industry and our ways of managing the issues are long over-due. Perhaps something for the IISP to get its teeth into?
Hello This might be a bit off topic but here we go… Firs of all, I just have one thing to say, thank YOU Mr King for putting the finger on something that is so true. I tracked my sons (he is 14 years old) activities to VX heavens and confronted him in the matter. We had an argue but when things cooled down I asked him to educate me in what he was doing. This is the deal: 1. We disabled the AV software 2. We downloaded TeraBIT Virus Maker 2.8SE (one of 195 constructors only on VX heavens) 3. We designed a virus with a payload that makes you shiver. 4. We downloaded Filejoiner and made a bind of our infected file together with some "real" files. 5. We enabled the AV system (some free junk called AVG) and made a run on the folder (absolutely nothing was detected from the scanner by other words the infected file was hidden for the AV system). And I do not think other AV's had done a better job. 6. My son told me that the final step is to zip the files before sending them to someone. HEY..... Sending them to someone!!! If we do this we will infect someone’s computer! Do you understand what I am saying? Yes, so what? So what.....!!!!! Then started a very long dialog much more in tensed then the "confronting" dialog. But here is my point, I have failed as a father in several steps. I have not been able to pass on information in a good way that makes my son understand why one NOT should make hostile code. Also I have not paid attention to what he uses his computer for. My son is one of thousands and thousands of kids that visits sites like the damn VX heaven. Then they visit the damn YouTube and get first class information how to use a virus constructor. After that they visit some damn forum (hosted in some damn country that does not give a damn, hmm is my language bad?) to learn how to make their virus "go stealth" and all this is made in half an hour. It is nothing strange in the report from Symantec telling us there are over one million viruses (and other types of hostile code) on the Internet. And when I read the forums my son visited I could immediately see that the security business is a joke to these kids. It is not a matter of more technical solutions it is a matter of teaching the kids the difference between right and wrong. It will be these kids that end up making code for the organized crime later on. This is a global issue of looser parents (me included) that puts more time in making the hair look good and the car look shiny instead of show interest in the youngsters. Educate kids from as low grade as possible, make IT-security a real part of the agenda told by skilled people and not by some tired teacher with absolutely no knowledge in the matter what so ever. It is ridiculous to see how little attention security related topics get in the schools of Sweden. I would say it is equal to zero, null, noll, inget! And if it should be a fraction of information it is told by a person an unauthorized person that “must” do this and the result will of course be a joke. Also, educate company staff and work with policies (my god, make laws that fore companies to create, implement and live after IT-policies (and these policies should always be audited by external personnel)), make people understand why they should NOT click on each and every damn link that is included in a mail (or attachments), or why the password must be strong, and why certain information must be treated with restrictions, and why one should logout the system when leaving it "un seen", and why the AVS must be updated, and why it must be a strategy for patch management, and why new visitors to the company should not be placed in the office landscape, and why some hardware should be placed in restricted areas, and why some systems only should be accessible by a small skilled group of individuals and so on and so on and so on. This should really not be that difficult for the average man or woman to understand. But of course the problem is in many companies that the tunnel vision is in charge and CEO's and economics do not understand the risks their company is up to. To me it is so strange how a man or woman can put their life into building a business, where a lot of them lose both family and friends during the way, and then give it away to the first idiot that can use a CD burner??? In a great deal of companies there is no classification of information what so ever and a lot of employees has way to big authorizations. Make people aware of the risks they put them self’s and their company up to in certain situations. Make them aware how to act when certain situations occur. It is ridiculous to believe overpriced soft- or hardware will protect a company if everyone behind the scene acts like an idiot. Another interesting matter is the fact that I know a lot of people that protects their home PC much harder than their PC at work. The company “can suffer” but my “domains” must be protected. What kind of self absorbed bullshit is that. Once again the true face of loser’s (mainly in my age around 35-40) shows their face. This is another question directly connected to understanding, education, self motivation, company culture, feeling for other people and property and so on, so on, so on, so on… My god I have almost made a book! :) I am sorry for my bad English and my bad language but this article somewhat made me “speed up” :). Have a great day to all of you, Thomas from Sweden
The problem is you need a body who reaches 90%+ of people in the field to really make a change (at least on a large scale). (ISC)2, BCS, IET, IISP, SANS - none of them can reach this amount of people. Collaboration between these organisations would be the key, however we all know how different peoples opinions can be, and how difficult it can be to come to an agreement. Not positive i know, but it is a rocky road i think we most likely now need, as a industry, to go down. Of courses, if vendors would tow the idea also then the change could be quite quick, however why would they want to if they can instead flog some expensive kit? I suppose that comes down to ethics, but that's another thing ;-)
Thanks for the great feedback Thomas - your points about the importance of raising awareness are spot on in my opinion. The challenge is to engage with people at a level they can relate to. Putting up a few posters, for example, and calling it a security awareness campaign is an exercise in futility.
Yes sadly you are absolutley right. So what to do then? Well, for me the main goal for the moment is to relly reach the kids (and their parents) that my son hangs with. Out of 8 all of them frequently visits VX heaven and I can asure you that none of the other parents have a clue what their "little diamond" is doing behind the PC. Thanks for a god and absolutley needed story! /Thomas
Hmmm, I think I answerd Mr Farrars comment in a speed :).
A shake up of the IT security industry? Bring it on! I'm all for it and will be leading from the front.
Since you discuss how 'it's all about awareness', please share your ideas with us around what a proper awareness program really is. Walt
Hi Walt - it's been a recurring theme on this blog. Do a search on "security awareness." But I take your point and I'll talk about this in more detail over the coming weeks