Something quite prominent happened in the security field over the last week. It is a strategic move so I am going to talk about it here rather than on Holy Hash! although it would be interesting to the security folks too.
So, what happened, you ask? Ah, nothing so spectacular that TV shows would interrupt their evening program for but so momentous that I wish they would. It all started with the little exercise at RSA Conference where a couple of so-called “security leaders” declared that security is the territory of really large companies and anyone smaller should just forget about it. I already wrote my opinion about the basic idea of ignoring risks in an area where an incident, according to Coverity, runs on average to 7 million dollars but can easily be a couple of orders of magnitude more.
It would all go away into the history unnoticed if it was not for Bruce Schneier who suddenly chipped in with his commentary that he agrees to the gentlemen in question. Now, Bruce is not stoopid and he is the head of security for BT. To explain to our full satisfaction how come that his words go counter to what he usually preaches in his books and security life, we have to take it as the corporate direction from BT. Otherwise why would he go to the trouble of participating in this publicity stunt?
So here is a sand castle of conspiracy theory for you to contemplate. Notice now, how we suddenly have 3 companies largely unrelated to each other preaching the same message on highly respected channels. First, let’s summarize the message. I think it could be said along the lines of:
Only really large corporations can afford to invest in security. Small companies cannot justify the investment in security. Unless a company suffers a security problem the company must ignore security completely.
When I re-read that, I cannot help myself wondering: “where is IBM?” They should be in this game, they have been at it for decades! But I digress.
Whether the message is in earnest, as a joke or in pretense does not matter. What matters is the content of the message and the credibility of the source. Using serious well-known channels like RSA Conference and Bruce Schneier practically guarantees a large outreach for the message and the credibility of “beyond serious doubt” being automatically stamped all over it.
So this is the message and it is easy to imagine that the “smaller” companies would follow the advice and will not take care of their own security and the security of their own products. What will happen? They will lose all security related expertise, security developers and so on. So they will have to outsource the security somewhere else when accidents happen. And security accidents happen all the time, the ignorant companies will not have to wait long.
So I can see how this is a very profitable direction for BT, that sells security solutions. I can see how that is profitable for SilverSky, that sells security services. But how is it profitable for Adobe? Well, it probably isn’t. John Viega and Brad Arkin have spent a lot of time together and Cigital will certainly benefit, so I am not surprised at the performance from amis cochons even if it is irrelevant for Adobe.
Anyhow, here is an attempt at a new trend and we will see how things move on. I suppose we have to allow for several possibilities: (1) this is just a one-off publicity stunt for the people and companies in question; (2) this is companies “testing waters” for the new “approach to security” and (3) this is the beginning of a shift towards acknowledged massive insecurity driven by those interested parties. On a hunch, I would vote for the number three.