The real problem with the security industry

The real problem with the security industry


Ask a security professional about infosec challenges, and you’ll get an earful of complaints about everyone else: Users click on bad links and open attachments, developers release buggy code, IT lags in applying software patches, the C-suite doesn’t understand security priorities, and so forth.

But the truth is IT is figuring out how to work with developers, and today, many enterprises are starting to take user training seriously. In fact, security professionals fail to collaborate because they’re too busy pointing out all the things everyone else is doing wrong.

[ Expand your security career horizons with these essential certifications for smart security pros. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]

Case in point: Last week, when I was at the RSA Conference in San Francisco, the DeveloperWeek conference was underway nearby. At the latter conference, I could find only one security-related talk on the schedule: Pete Chestna, Veracode’s director of developer engagement, talked about how security was the next opportunity for developers. Veracode also had two workshops at DeveloperWeek on how the company approaches devsecops (the integration of devops and security).

To me, it’s astounding that none of the usual experts who rail about software vulnerabilities and application security made their way to DeveloperWeek. It raises the question of exactly who these companies are selling to if they aren’t talking to developers.

Security still lives in a silo, walled off from the rest of IT and business. Worse, it seems like security wants to stay separate. It’s easier to stay in the bubble, where everyone agrees with each other in their smug superiority, rather than stepping out into a new environment, breaking down the walls, and working together with nonsecurity professionals to actually make a difference.

That leads to the second big problem facing the security industry: Where is the leader to set the agenda for solving security challenges and to develop methodologies and technologies that addresses the problems?

Where is Microsoft?

Microsoft is physically at RSA Conference — as a “diamond” sponsor, as an exhibitor on the show floor, and on stage calling for a Geneva Convention for cyberwar — but ever since the company axed its Trustworthy Computing Group in 2014, it has practically disappeared from the security conversation. Microsoft rationalized the shutdown at the time, saying security needed to become part of each product team, instead of maintaining an overarching domain.

It’s a stark change from when Microsoft launched Trustworthy Computing back in 2002, when then-chairman Bill Gates wrote in the companywide memo, “We must lead the industry to a whole new level of Trustworthiness in computing.”

With Trustworthy Computing, Microsoft developed a new security-focused mindset and improved availability and security models. The company led by example, showing other organizations how to integrate security in the software development lifecycle, establishing best practices in enterprise security, and working with partners on how to elevate security for everyone — not only internally.

Today, no one is setting the bar for security in the same way. Technology companies have carved out their own niches, but no all-encompassing leader is filling the vacuum Microsoft and Trustworthy Computing left behind. Apple has made tremendous investments in security, but it’s completely restricted to Mac OS and iOS, and even so, its secretive culture means no one really knows exactly what the company does. There’s no way for enterprises to learn from Apple.

Facebook has been tackling the identity problem, but in many security areas, it still follows industry trends — an early adopter, to be sure, but it isn’t blazing new trails. Plenty of innovative security startups tackle big challenges, but none enjoys Microsoft’s mind share, in part because they target specific issues. Mozilla used to be a security darling, but it hasn’t used its megaphone in a while.

That leaves us with Google. In a way, Google fits the pattern Microsoft set, using its dominance in search and the popularity of its Chrome web browser to push everyone else to adopt better security. Google was the first to declare that its browser will no longer trust websites using insecure SHA-1 certificates. It has pushed certificate authorities to adopt Certificate Transparency, primarily because the company kept discovering fraudulent digital certificates issued for its properties. It has made libraries available for developers interested in taking advantage of Chrome’s support of FIDO standards for authentication.

It’s also pulling back the curtain on how it tackles security internally, such as its recent whitepaper discussing its rollout of hardware security keys to its employees to handle multifactor authentication. Shortly after the disclosures by Edward Snowden on the National Security Agency tapping datacenter connections to intercept internet traffic, the company encrypted all its internet traffic, in and out of the datacenter.

At the RSA Conference, Google discussed its seven-year rollout of the BeyondCorp framework, where the network is considered untrusted and trust is based on what the company knows about users and devices connecting to the network. BeyondCorp starts with the acceptance that perimeter defenses like firewalls and other trusted network security equipment are ineffective when employees use myriad devices and are constantly moving around in and out of the network.

Despite all that, Google tends to take a go-it-alone approach. It’s not really cultivating a partner ecosystem with the idea of tackling security problems together. It uses its market position to make security pronouncements, leaving other companies to decide whether to follow suit. The company shows off its successes via whitepapers, which takes the tone of: “Everyone does this wrong, but we alone know how to do it right.”

In today’s dog-eat-dog world, perhaps the idea that everyone needs to pitch in and work together to make security better for everyone is archaic. Maybe Google’s style of “the only true way is the Google way” is what suits the security industry now. But what results can we expect from that approach?