By far, this is the most common security question I hear, and it’s always asked by technical people. I am attempting to formulate a better answer to this question by looking at different resources that are available and will make a few posts as I find items that might be helpful. Until then, here are some important things to keep in mind:
When talking with other technical people about the subject, I frequently hear that adding better security to products or services is the right thing to do. It’s what our customers want. It’s what our industry needs. This does not however translate into economic terms when discussing with business stakeholders. One thing that we all need to consider is that the companies we work for are in business to make money. The right thing to do for a company is to show a return on investment. Because of this fundamental difference, security is often relegated to press release stating that ‘it’s the company’s number one priority’ and rarely creates meaningful security improvements.
We simply need to make a better economic argument to induce companies to increase security spending and educate them so they spend it wisely.
The expense of security exploitations are rarely borne by the creator of flaw. For example, the breaches of security at LexisNexis and ChoicePoint will not have a lasting affect on their revenue. Other than the bad press which will affect their stock prices in the short term, their customers were not affected and will continue to use their services. The expense of these breaches will be borne by ordinary citizens who had their personal information stolen and will now become the victims of fraud. There are several lawsuits in the making, but these will likely go nowhere (it will be too hard to prove that the data stolen was the catalyst for fraud against those individuals and therefore will be difficult to asses punitive damages, baring a statistically significant percentage of the persons who’s data was stolen show a rise in identity theft and there are actual expenses they occur because of it). When an expense is borne by someone other than the company they are called externalities in economic terms and should never be the basis of your argument for improving security, even though it’s ‘the right thing to do’.
Most of the dollars spent on security today can be traced to government regulations and fear mongering. Vendors are not liable for the products or services they create like other industries. Without liability, there are no real ramifications for security flaws, only short term fluctuations in revenue due to bad press.
I found a paper here called “Unsettling Parallels Between Security and the Environment”. While I don’t agree with some of his theories (minor disagreements really), he does make some interesting points. In ecology, there are two schools of thought. One constantly promotes an agenda (global warming is bad, we will run out of coal in 25 years, the rainforests are disappearing, etc.) while the says these fears are unfounded by any reasonable timeline and we should instead be looking at more important things like providing clean drinking water to 3rd world countries. In the absence of scientific data, what would normally be considered urban myths are repeated enough to become facts and speaking out against them becomes politically incorrect.
What is the cause of this? Money and power:
Most of the players in the environmental business have an incentive to talk up the problem: this holds whether you are a professor of botany seeking funding for an expedition to Brazil, an engineer trying to sell flue-gas desulphurization equipment to a power station, or a bureaucrat trying to build up influence of the environmental agency you work for.
His main theory is that in terms of dollars, we spend enough money if not too much on security, we just do it improperly. This is where I have a minor disagreement. True, there are some perfect examples of spending too much money on the wrong type of security. Look at airport screening. Are we any safer than we were pre-9/11 even though we spend billions more? I certainly do not think so, in fact I believe we are at an even greater risk because a new attack vector has been proven to work and nothing the government has done effectively prevents it. But by far I don’t believe companies spend enough on security and what money they do spend they do so improperly.
Companies generally spend money to meet government regulations or because they buy into urban legends. These urban legends are often the source of the government regulations in the first place. Instead of scientists trying to get funding for a trip to the rainforest, we have salesmen at companies selling firewalls trying to meet their quarterly quota, and so called security experts saying you’re safer on a Mac.
I’d be laughed out of a room if I told an e-commerce company that they really didn’t need to encrypt credit card data over the internet and it would be more beneficial not to store the credit card data on their servers instead. I’d be considered just as much of an idiot as the scientist who speaks out against left wing environmentalists. Am I though? As a matter of practicality, hackers want to steal millions of credit card numbers, not one at a time. Isn’t it more important to alert customers that they are entering a transaction with a trusted entity and not a phishing group, something every major browser fails to do miserably by just showing that little lock icon? We are focusing on the wrong thing, in this case the encryption of the data in transmission and not that the correct entity receives it and that they handle it properly.
All in all, it has been my experience that what we do spend on security is done so largely out of ignorance. It lulls business stakeholders, consumers, and the government into a false sense of security. To make matters worse, as technical people we often bask in the ignorance of those non-technical among us and don’t realize how truly counterproductive this is. Education helps people realize their own ignorance, and in a non threatening way. Try to remember that next time you approach the subject.