I just read this article called 8 Dirty Secrets Of The Security Industry, which seems pretty nasty. Let's briefly have a look at them:
- Vendors do not need to be ahead of the hackers; they only need to be ahead of the buyer: Wow, this is a bad statement – but how true is it? It might be true. Something I see from time to time: Companies that are making money with the bad things happening tend to reveal the threads and offer immediately the vaccination. So, how true is this statement?
- Antivirus certifications do not require or test for Trojans: I am not an AV specialist but to me these certifications are similar to the crash tests with cars: The vendors exactly know how the crash test is done, therefore the car can be prepared accordingly. Unfortunately the real accident does not follow the rules of the crash test… Does this mean they are useless? No, I think there is a certain value in these test but it shall be looked at with care.
- There is no perimeter: Wow, what news J - if you read my blog over the last few months, you realized that this is one of the themes I am promoting since quite some time. Just as an example: Are you ready for your users of the (near) future?
- Risk assessment threatens vendors: This is similar to a statement like "a knowledgeable buyer threatens the vendor". I think that if you have a vendor that wants to partner with you instead of just looking for the immediate gain, this should not be a problem for the vendor. I am always claiming that you should do your homework and do risk management.
- There's more to risk than weak software: This is clear as well and we are often talking of the Layer 8-problem: the user!
- Compliance threatens security: This is an interesting statement as a lot of companies think that if they are compliant to xyz they are secure! Nonsense. If you are compliant, you are compliant – that's it (you might quote me on this J). It reminds me of the ISO 9000 wave a few years ago where every software development department wanted to become ISO 9000 compliant. What I sometimes saw was just a better documented mess and not really a streamlined process. Once they cleaned up AND documented, ISO 9000 made a hell lot of sense. So, it might help to show you the way but it is not the ultimate goal.
- Vendor blind spots allowed for the "Storm" botnet
- Security has grown well past the "do it yourself" stage: Not everybody understood that yet when I look to a lot of customers. Somebody is just doing security as a side-job and this will not work! It is a job for a Subject Matter Expert (might be one with a certification – what about compliance?) – unless you have nothing to protect J
To me, these 8 points are neither dirty nor secrets but definitely interesting to look at.