Information Security Is Becoming Infrastructure

Bruce Schneier has a story at Wired about his observations from the recent RSA conference. He noticed that the 350+ vendors who attended the conference were having difficulties selling their products or even communicating with potential buyers. Schneier suggests that the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it. Quoting: "When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers. No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference."

We've seen this with PGP

[CRCulver]

We've seen this problem with the PGP world. Geeks like working with everything themselves, but it's hard to convince non-geeks to use it, because they don't see the point. If encryption were really vital, it would be packaged for them to easily enable it, just like their online banking. Even with secure e-mail standards like Secure MIME, they are easy to use but are yet little known because companies don't actively pitch them to their customers.

I would beg my fellow geeks, at least, to rediscover some of the passion about encryption. As I posted a couple of days ago, a decade ago every geek had a PGP key and Schneier's Applied Cryptography was our favorite bedtime reading. Now, even geeks don't want to go through the minimal (to us) effort of working with crypto.

maybe the market is working

[convolvatron]

maybe the problem with selling security is that is that the products are a pile of afterthought patches. security is a property that should lie at the foundations of a design. why should i put some 1u appliance with alot of molded plastic on my ethernet at all?

Re:maybe the market is working

[houstonbofh]

I was thinking this myself... I could be that people don't understand it. But it could be that the products don't work all they well. Or it could be that a bad network design makes it all pointless anyway. But get HP or BMC in there with a big network plan that includes security, and it works.

I think they have it backwards. Security isn't a utility, it is a highly technical skill. You need a person, not a box.

NOOOOOOOOO

[Original+Replica]

the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it.

Great, once again the tools I need to protect myself are being taken away given to "the professionals". So if all the security tools go to the ISPs and other infrastructure how do I protect myself from ISP spyware?

Re:Self-serving horseshit

[Bargeld]

Of course, security consultants think that security should be left to the professionals. (ie, them) Because it should. Or more accurately, oversight of it should. But when you have security-savvy architects, project managers, and (rarely) business-line managers, it makes the need for micro-managed technical oversight MUCH less. But no matter what, someone needs to be managing the big picture of risk across all the silos of expertise.

Security consultants like to put that "CISSP" on email signatures and business cards because it makes them sound like doctors or lawyers, but at the end of the day, nobody really gives a shit. Amen :) It's always struck me as a grandiose, sad conceit...and I _AM_ a CISSP. It'll be a cold day in hell when I throw it around like a badge of pride, let alone authority, because frankly, it's a mediocre standard. Management at my last employer forced me to write the exam "to make our practice more credible to clients", and I spent a whopping 2 days "studying". The bar it sets is...very low. Not bad for a foundation, but not good for much else.

I've been doing infosec work for over 17 years now, and IMO, the "problem" as it were, is that the demand for expertise has utterly outstripped the experienced pool of talent.

Net result? Exactly what you observe: "cash cow security" that is more focused on implementing wildly expensive (and frequently Rube-Goldberg-esque) technology solutions. Why? Because the inexperienced security practitioner immediately and inevitably turns to vendors for "turn-key solutions" to every risk (and many non-risks :)

Conversely, the much smaller number of people with substantial experience in the trenches are the ones who might point out that a $50,000 security awareness campaign _just might_ reduce net risk a WEE BIT more than a $3million 17-tier-firewall-atrocity. Or that a 10-man-hour risk assessment by security professionals attached to EVERY project's design phase _just might_ have a better chance of reducing risk than a $30k penetration test of every project by an external vendor that is 9 times in 10 a glorified canned vulnerability scan by a junior drone.

Not much of this is likely to change anytime soon. Sad to say, information security is still a very young and immature science. Things won't get better until the experience-pool gets deeper.

--Bargeld