We care more about convenience, meeting deadlines, and a whole host of other things rather than protecting data and IT systems. When I say we, I do mean most of us, including me. It's expected that we say that we care. There are a few people out there whose actions match the words, "I care." For the rest of us, though, what we say and what we do are two different things.
At the Executive Level
At this point, given the criticality of infrastructure utility systems and the black-eye that SCADA (Supervisory Control And Data Acquisition) has had in the IT security field for a long time, you would think the utility companies would get it. However, another recent survey shows they don't. Keep in mind that this is after Stuxnet and its derivatives. It's not limited to one survey, either. Security may be spoken of as a priority, but the evidence says the opposite.
When you look at the surveys, you see that old, disproved security mechanisms still proliferate, like trying to maintain an air gap. As an industry we haven't demonstrated that we've gotten much smarter. We know more effective techniques. We know (or should know) what the best practices are. Too often best practices are being bypassed or ignored because they cause delays or they "cost too much." These reasons are trotted out, even if they are invalid. Here's where this comes back to the executive level: if the execs said securing the data/system is our top priority and then actually enforced it, would we listen? Of course we would. Can a large company do this? Microsoft, after taking some hits for their "insecure by default" configurations and applications, tightened things up greatly. It caused project time lines to be extended and delayed shipping on some releases. I think, though, we're glad Microsoft did.
Why the Executives Aren't Concerned
Target's first quarter earnings prove we don't care. Not only are consumers not concerned, neither are investors. While Target's profits have been impacted because of the cost of dealing with the data breach, folks are still shopping in the stores (at least, here in the USA). We haven't changed our spending habits or our reliance on the electronic systems that are vulnerable to compromise. Nowadays, when we have a credit card compromised, we just run through the drill. It has happened enough to most of us that we've accepted the position that it will eventually happen. When you call up a company which has a recurring charge on your card, does the person on the other end sound the least bit shocked when you say, "I need to change my payment because my card has been hacked?" Not any more.
If you work in the information technology field, you have a glimpse into how bad things are. Perhaps you've not gotten to the point where you describe everything as broken, but you know that a lot of software and a lot of integration is ugly, messy, and flat-out insecure. Has this altered the way you handle financial transactions? Are you still using your credit/debit cards or have you dropped back to cash only where you can? We technologists might talk about trying to get back to cash only, but the convenience of that little rectangle of plastic is too good to pass up. This is true even though we know that despite compliance requirements, there's still too many organizations not encrypting sensitive data like credit card numbers.
Why does this keep happening? Let's ask a different set of questions:
- Have you ever been a part of a project that left security design to the end?
- What about a project which didn't look at security at all?
- Have you ever been part of a deployment where there was a known security issue and it was waived through with, "We'll get it the next time around?"
If you answered, "Yes," to any of those questions or if you have co-workers and peers who would, then you know exactly why this keeps happening.
The Road Ahead
I know a lot of folks have proposed ways forward. Schneier suggests we scrap security awareness as we know it because he feels we've overly complicated things. His examples are reasonable. How do we know that we have cooked food properly? We have procedures around food temperature, about proper storage and handling, but we still get that wrong too often. You know that even the professionals fail at this if you've eaten out and suffered food poisoning. So why do we think cramming an hour's worth of security awareness training for a regular user is going to fix things? What about those folks at home that don't even get that? And how do you teach them to use the "right" USB devices and maintain proper controls on them? Schneier's recommendation is for IT to be smarter, for developers to be trained better on security, to put the problem back on the people who design the systems. That would be us.
I don't totally agree with Schneier. Some training is appropriate. However, I do agree that if we design the systems, we can do a better job of improving the state of things, at less cost, than trying efforts elsewhere. One commenter wrote on Schneier's post that it isn't just about developers. It's also about the languages they use and what the languages permit. If the languages permit bad security practices, then a developer somewhere is going to code them in. This is true. However, it's easy to abdicate responsibility and accountability to someone else. If real change is going to happen with regards to the security of our systems, it's going to have to happen at every level. Our industry has to get better. It has to mature in this regard. And it doesn't matter if you're a developer, a DBA, a network engineer, a system administrator, an enterprise architect, or any of the other myriad of positions within IT. Security needs to be more than lip service.
How do we get there? I don't have a good answer. It should be obvious that everything we've tried to this point is failing. I am almost at the conclusion where I think something catastrophic has to happen before we start taking data and IT security seriously. Leaking military secrets, losing millions of credit card numbers, exposing health care records for an entire network... those don't seem to be enough. This is the point where we basically need to ask, "Anyone have any new ideas?" and start to cull through them. So, does anyone have any new ideas?