Does security nirvana exist?

Does security nirvana exist?

I know, I know.  I can answer that question with a resounding “NO” and get on with things.  But seriously, what does it take to even approach security nirvana?  I mean really, there are so many people spouting theories about where we need to go to make the Internet secure.  Then there are a bunch of frickin’ criminal scum suckers over in Russia and China and America and wherever doing everything thing they can to keep fifteen steps ahead of us trying to plug the holes.  And then I take a closer look to see if we really are even plugging the holes (selling product sure as hell doesn’t do it). 

Seriously folks, I know the answer to the question.  But how can we keep going down this road if we can’t even approach a state where we don’t have to look over our cyber shoulder every night and day?  What are we fighting for?  Where did the fight turn into a battle for money instead of a battle for security?  I also know we live in a capitalist society.  I AM a capitalist.  Nothing wrong with making a buck.  But I feel like such a cog among a bunch of cogs.  Where the hell is the wheel??  

I know I sound depressed.  And maybe I am a little.  Maybe it is just because it is 12:35AM right now.  But I just feel like so many of us have lost sight of what it takes to make things secure.  Products have a fit in security.  But with so many of us pushing product after product after product and not looking at security overall, where are we getting to?  When did the industry turn into a churn and burn machine?  This feels like a uphill battle, both ways, in the snow.

I know Alan will probably call me a young, naive punk again (OK, he didn’t call me a punk), but sometimes I have to stop and make sure SOME of my ideals are still there.  otherwise I just become a big glob of compromise, picking up the lint and dirt on my way to security hell…


3 Replies to “Does security nirvana exist?”

  1. So let an old fart like me from the industry answer one of your questions:

    Q – When did the industry turn into a churn and burn machine?

    A – since DAY 1, you did reference a big word there – INDUSTRY – ever since the firewall, IDS/IPS, and AV vendors marketing groups figured out that the market for early adopters is extremely limited, they learned to focus 99.5% of all their marketing funds towards filling a Need (be it real or assumed). In the past 5 years the security industry as a whole went from the folks with a clue (aka the early adopters) to the world of regulations or the regulatory have toos (aka the folks who didn’t really care until they were told to).

    With this environment as your customer base, you have to work with places that are simply checking a box. Do you have a firewall – check, do you have a IDS/IPS – check – do you have AV on your servers – no? oh well then you need XYZ’s antivirus solution.

    As we all know security is a process – and only education will lead these folks to nirvana – They are looking to their trusted vendors/advisers to help educated themselves. So if it takes them buying a checkbox to get my foot in the door to help them get their learn on then so be it.

    As with anything in the business world – until you show impact to the bottom line – your spinning your wheels. Its up to you to educate them on why having those products is a stop gap measure, but if they don’t teach their programmers not to write crappy web apps they are just going to continue the trend.

    So my long winded message is simply – take what you can get to start educating them on what they truly need. That means teaching them that security is a continual process that includes People, Processes, Policies, and Products.

  2. It’s a hard balance, my friend. And it will never get any easier. Regardless of our true intentions, we will always be regarded with some degree of suspicion, given our professions and the companies we work for.

Comments are closed.