March – 2013 – Aruberusan

Strategic direction: security ebb

2013-03-13Albert Zenkoff 1 Comment

Something quite prominent happened in the security field over the last week. It is a strategic move so I am going to talk about it here rather than on Holy Hash! although it would be interesting to the security folks too.

So, what happened, you ask? Ah, nothing so spectacular that TV shows would interrupt their evening program for but so momentous that I wish they would. It all started with the little exercise at RSA Conference where a couple of so-called “security leaders” declared that security is the territory of really large companies and anyone smaller should just forget about it. I already wrote my opinion about the basic idea of ignoring risks in an area where an incident, according to Coverity, runs on average to 7 million dollars but can easily be a couple of orders of magnitude more.

It would all go away into the history unnoticed if it was not for Bruce Schneier who suddenly chipped in with his commentary that he agrees to the gentlemen in question. Now, Bruce is not stoopid and he is the head of security for BT. To explain to our full satisfaction how come that his …
Read the full article ->

Mitigating risks … is a waste of money?

2013-03-06Albert Zenkoff 1 Comment

There was an interesting talk at one of the panels at the RSA Conference, where SilverSky and Adobe claimed that investing in security is a waste of money. Their message is simple and compelling:

“For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens. You’re better off waiting for the market to pressure on you to do it.”

Although they say that this was all in pretense, we all know it was not, companies large and small try to avoid fixing problems as long as they can, waiting for customers to complain loud before ever doing anything. Basically, this is a risk that companies rate as unimportant because of its low perceived rate of occurrence.

The problem with this kind of risks that they cannot be properly rated. The probability of these risks is hard to rate because the data is basically unavailable. And the impact of the risk is underrated because of low perceived probability. People tend to ignore such risks.

But the companies, can they also afford to ignore such risks? What has to be considered is that a …
Read the full article ->