The short answer is that online security is "good enough" -- adequate for the risk represented by the value of the transactions. Consider credit cards. There is certainly theft and fraud, but various security measures, added over time to address new threats, kept losses at an acceptable level. Computer and online security seem to be following a similar path. The operating systems and browsers get new security features, patches and updates, often in response to some recently discovered or exploited vulnerability.
We've long been saying that this cycle of vulnerability exploitation and patch will never really end, and everything we've seen since then only reinforces this belief. And the complexity all those patches adds more vulnerabilities.
But what if the patch efforts fall behind? What happens when "good enough" just isn't good enough anymore? One could argue that identity theft is on the verge of becoming the manifestation of this risk. Many will be surprised to learn that in 2006, most identity theft was enabled by non-internet data collection. Online exploitation on a grand scale might cause an exponential increase in what is already one of the fastest growing consumer threats in the U.S.
It will take a new way of thinking about security, and new offerings that can isolate and close off broad categories of threat, so that "good enough" is still good enough when the stakes go up.
We have some ideas, and we're doing more than just thinking about them.
A version of this piece appears in Vantage, Vol. 5, No. 1, 2008, RSA's magazine on information security issues and trends.
For more coverage of the RSA Conference, visit our special RSAConference 2008 microsite. It contains news and announcements from theshow floor, as well as podcasts, video and opinion columns from keynotespeakers and industry luminaries, like RSA Conference's Sandra Tom LaPedis and Tim Mather, Symantec's John Thompson and Kevin Haley, IBM'sVal Rahmani, and SC Magazine's CSO of the Year Dan Lohrmann, CISO ofthe State of Michigan.