Jeremiah Grossman, founder, WhiteHat Security
The unemployment rate amongst information security professionals is effectively zero — possibly even less than zero. Due to this low rate, many enterprise InfoSec programs are being managed by non-security personnel out of pure necessity. As a result, many blame the ‘security gap' and the constant flood of breaches on a labor shortage. While they may be right, this is an insufficient explanation as the complete answer to the vast Internet in-security is far more complicated. That said, for us to begin closing the ‘security' gap, we must do two things. 1) Invest in new security technology that does the heavy lifting so InfoSec pros can focus on managing the technology. This approach will lower the skill bar from a technical standpoint, and allow security pros to take a more holistic approach and scale their expertise to a much greater degree. 2) Identify and reach out to underutilized labor pools that we can help educate and make the information security world attractive to them. Technology helps, but people matter most.
Günter Ollmann,chief security officer, Vectra Networks
The repeated failures in information security are almost entirely down to poor technology decisions and complexities in operational design. For example, for the last thirty-years we've tried to train users to employ ever longer and more complex passwords, yet they consistently trip over their own feet with something as “simple” as an eight-character alphanumeric string. With three-decades of failure under our belts, why haven't we learned that goldfish can't climb trees?
When the systems we deploy and rely upon fail, it's easy to blame the user. The reality is that failures formulate at the junction points in complex systems where designers didn't anticipate the answer or only partially solved the problem – leaving the decision to someone else; typically a user less qualified than themselves.
“Secure by design” means that we force the system to take the tough decisions, anticipate user actions, and remove all paths of confusion and threat. Why shouldn't they be able to click on anything they like?