I apologize in advance. I know depression is a sensitive and often uncomfortable subject.
Last month we discussed the third stage in the “Five Stages of Employment” – anger. Throughout the initial three stages, one still has a sense that things should be better and could change with the appropriate action.
In the fourth, you realize how much you cannot change, and a sense of doom and depression sets in.
As a professional Pollyanna, this is a particularly difficult list for me to create, as I firmly believe the security industry is far too full of fear, uncertainty and doubt. As a whole, we've failed to highlight the many strides that have been made to make the world safer (those which fall outside the realm of marketing brochures, anyway).
There is plenty of opinion on why that is; I won't get into it here. There is always a ray of hope in my view of things, as I'm now firmly in the state of hilarity where one understands that nothing stays the same forever, like it or not.
Nevertheless, here is my list of depressing facts of life in security:
- There is more profit in creating malware than fighting it, so malware authors are ahead of things to protect against them.
- The malware “bad guys” are much better organized than are the security “good guys."
- User education is unlikely to be effective with the current generation of workers.
- Many security measures and policies will end up costing companies more than they save.
- Most companies will focus on functionality over security.
The first and second points are simply because their operations are outside legal confines. They don't exactly have mandatory meetings on interpersonal sensitivity, performance reviews or TPS reports. These things may make things run more smoothly and kindly, but they decidedly take away a certain amount of productivity. When one's pay is directly tied to how much work they accomplish, uninhibited by company competition, salary caps or raises being deferred due to a recession, it generates a different sort of work ethic. In this situation, cooperation unquestionably helps everyone, and people are less likely to play hooky.
There was a time when it was considered controversial to knock the idea of user education. When you could convince yourself that a user slipped or acted without thinking, it was easy to convince yourself they could be trained to behave more wisely. But certain variants of the Bagle virus came in a password-protected ZIP file which required users to double click twice as well as taking conscious action to enter a password. That removed the possibility that opening the file was anything but deliberate. This virus was closely followed by the sound of an entire industry's collective heart breaking, simultaneously.
The final two points are also related: Security is not cheap. It is often more costly than implementing things to protect against breaches. But this is the thing I think which will change most quickly.
Another thing which is quite expensive is bad publicity. With sites such as Facebook and Twitter spreading user-generated news in real time, if people have a problem with your product, the world will know about it in a heartbeat.
It is likely that this will put things like security and quality assurance higher in companies' priorities sooner than later.