Wednesday, 9 July 2008

Security is a Process, not a Product

Back in the year 2000, I remember reading an article by Bruce Schneier (a security hero of mine), he said "Security is a Process, not a Product". Bruce talked about whether this would be ever understood. It really struck a chord with me at the time and I've been quoting Bruce saying that ever since in my own presentations. Well 8 years have gone by since I first read it, and Information Security has certainly come to the fore in that time, but Bruce's statement rings truer than ever.

I don't want to come across as knocking the security industry because they do provide many great security products and services, but in the industry’s push to sell products and solutions, I think they are help driving the concept, that the answer to all information security problems is to simply buy a product off the shelf.

The number of times I've been at security events and conferences, where the “punters” are repeatedly told, “buy our product and your security problem will go away overnight, but if you don’t buy, something nasty will definitely happen”.
I have to say part of the problem is down to the punters going out impulse buying “off the peg security products” tend not to understand what information security is about in the first place. Often they are looking to the security industry, and those pesky sales guy for security advice. In fact the sales tactic is to often host a “free security advice/awareness” session, to draw in the punters. I show up to some of these events to gage where the market and how threats are perceived to be moving, but it really makes me cringe at times, especially as the message is increasingly to buy this and you will be secure! And it gets worst, as some companies are clearly jumping on the security bandwagon to make a quick buck. At InfoSec Europe this year, I heard one (so called) security organisation openly presenting about PCI Data Security Standard to a bunch folk who gauging from their questions really didn’t know anything about the standard, other than it effected their business. This company were out and out misleading those listening, and it was clear to me the presenter didn’t even know the proper facts about PCI DSS. In fact I was so outraged in what I overheard, I stopped, blended in with punters, and at the right moment asked a question about requirement 6.6 to deliberately trip them up, I asked “so which is best on requirement 6.6 in your expert opinon a code review or an application firewall? and why?” – they didn’t have a clue, anyone knowing and working with PCI DSS would instantly know and understand the issue around Req. 6.6 in mid 2008.
I think the answer is for the “punters”, namely the organisations which lets face, many of whom are just really waking up to the issue of information security, is to train and invest on security a department and personnel. So they are correctly advised on the proper solution processes from the ground up, as well as to understand when and where they should buy products off the shelf to help reduce security risk along the way.

1 comment:

Sammy Launius said...

Absolutely right thing, Security is a Process not a Product. This is a process Personnel Security where if we're ever going to make our digital systems secure, we're going to have to start building good protection.