Mogull posted his 10 Truths We Hate To Admit over on DarkReading. Read it to get his explanations. I’ll react below. In fact, I’ll play a little bit of a devil’s advocate here.
1. Signature based desktop antivirus is an addiction, not effective security.
We really have to define “effective security” to discuss this topic. If we’re looking for perfect security solutions that don’t leave gaps, then yes, I agree. If we’re speaking about layered defenses that try to throw a wide net to catch the 80% attacks, then we have a discussion here.
2. The bad guys beat us because they’re agnostic and we’re religious.
Ahh the nature of the beast. This statement alone is arguable, but I like Mogull’s explanation in his piece.
3. Antitrust concerns force Microsoft to weaken security.
I’ve been saying this for years now; Microsoft will not be allowed to create a secure operating system. Antitrust statements aside, there is now a security industry that simply won’t allow it. That’s unfortunate, and it will take Microsoft building a new OS (beyond Vista) that has everything built in. Then again, perhaps this is tolerable since we can’t have something as big as an OS be truly secure without either skilled admins managing it or products to augment the weaknesses. Either one is an industry…
4. Vendors are like politicians – they lie to us because we ask them to.
This is a function of the rapid movement of technology. IT managers have a HUGE job to do in keeping up with the latest innovations and tools and companies and offerings and their own needs. We need yet more information sharing, more services, less products. Outsourcing security functions can help with this a lot.
5. We’re terrible at talking to, or understanding, those that fund us.
While I do buy this on one level, I also don’t buy this on other levels. I think many people think we need to align better to get more dollars, but lack of full funding is part of life in an economic system, it’s not because we speaking in tongues. I often feel this is a scapegoat for other problems… But there are also plenty of times where we just can’t make our cases and don’t align our own goals to those of the company. I just don’t like trumpeting this, I guess, because it is so situational and subjective.
6. Security researchers need to grow up.
I disagree, and I find it healthy to have such a wide range of opinions and discussions and approaces. Besides, it is not how loudly researches cry that gets them credibility, but the topics themselves. Just like the MySpace worm a year ago, even unknowns can poop out something cute and make a major impact on accident. I like our community, and wouldn’t change it at all.
7. Security companies make more money when there are more incidents.
I’m sure we could learn lessons from the pharmaceutical industry on this topic. They don’t make money unless people get sick, no? Then again, this is basic supply and demand, and not necessarily something we should combat or worry about.
8. Network security is the result of a mistake, not an industry worth perpetuating.
Good luck ultimately securing devices, apps, and people. Sadly, this just won’t happen as long as we have humans as a part of this mix. (And unless Skynet takes over, that’s a given forever!) I will say that we should strive for and keep saying we need endpoint and code security improvements, and I don’t mind keeping that perfect goal in mind, but I won’t delude myself into thinking that’s achievable or means I can denounce the network measures.
9. Disclosure is dead.
Disclosure isn’t dead, but your hidden, real point is correct: the debate about disclosure is dead. Companies do as companies do, which is economically driven. So do researchers, and there will not be a middle ground, at least not as long as both sides remain economically competitive.
10. Momentum will destroy us, until it doesn’t.
Amen to this.
11. We can’t fail.
We can’t win either. But there are those who feel the pains on a microscopic level when we do fail. C-levels and other techs can lose their jobs and credibility when they are perceived as failing. That happens, and it is unfortunate because we often work under the assumption an incident will occur. But in the end, like an invader in the body sparking a defense mechanism, society and our companies will support the concept (if not the people present!) of improving security in the face of disaster.