I normally don’t follow Bruce Schneier because I figure the good posts he makes will get linked by the sites I do read. Yet again I’m right, as I got pointed over to Bruce’s latest by a post from Rothman. Bruce is talking about buying security suites vs best-of-breed and tons of other little pokes and prods. I know not everyone gets what the big deal about Bruce is, but you have to admit he has a lot of good thoughts.

…and we continually fool ourselves into believing whatever we don’t have is better than what we have at the time.

I’m a firm believer in this cyclical pattern coming up quite often in human experience. In IT, it is like having centralized mainframes, then decentralized microcomputers, and now pushing back to centralized iron. By the time we get entrenched in web services, we’ll be wanting the next thing (or going back to fat apps).

Honestly, no one wants to buy IT security. People want to buy whatever they want — connectivity, a Web presence, email, networked applications, whatever — and they want it to be secure. That they’re forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear.

I think I do agree with what Bruce is saying here. The problem is we, as an IT industry, cannot keep up with the pace of technological change right now. By the time we get people experienced and trained to make secure decisions about a technology, we either get new software versions, new hardware with a new OS, new needs by our stakeholders, new solutions from our developers, or entirely new technologies. An analogy to the car world would be like driving a new car every week. Sometimes the lights stay on when you shut it off, sometimes the stereo buttons are on the left, sometimes you don’t get teloscopic tilt, and that’s not even getting into how you learn the feel of the shifting on manuals and how it handles on the road in varying conditions. The questions come down to: Can you drive it safely? Can you drive it well? Two very different approaches.

It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they’re selling.

The problem? Security is not something you can achieve completely. This means your vendor *will* fail. What happens then? Do you sue them? Do they recover your losses? The problem with moving security anywhere but outside the company is the difficulty in also moving the responsibility and blame for insecurity. Risk management is the way to go, but it still seems business doesn’t handle that very well as a whole. Either it works always, or it doesn’t work and we’re moving on.

Rothman tackles this another way which I fully agree with.

It’s true that customers don’t really care about security, but I can tell you they absolutely HATE their carrier or cable company. The idea that they would trust them to provide security in the cloud is a joke.

You’re damned right. Carriers are large beasts, and they completely suck at delivering services. They can deliver a product (pipe of size X or solution B) but once you get away from their small portfolio of slightly specialized products, they suck. I’d never trust my home provider or any of the providers we use at work for my security. And I’m positive they won’t help me anyway once things get inside my walls, just like they don’t troubleshoot network issues past the demarc. But they deliver my Internet pretty damned well most of the time!

(Aside: What is security, a product or a service? Bring that up as a discussion starter at the pub next time!)

But let’s move from ISPs and go further. I understand that companies like Boeing contract pretty much all of their IT out (I believe mostly Dell right now) to solutions providers (btw, ask anyone at Boeing just how not-awesome their IT support is!). In this case, security better damn well fall into Dell’s lap as well, or some other outsourcer. But that leaves a hell of a lot of SMB business still fending for themselves. Sure, security and IT should be one and the same and both outsourced as infrastructure, but I feel we have a VERY long way to go before this can trickle down past the Fortune 500 or into consumerland. Siemens, IBM, and other players can only go so far before they become so diluted the whole landscape remains at a minimum security level. Images of Jerry Maguire…less clients, better attention, better quality…or the opposite.

So what else is an answer besides just outsourcing it all since that will take forever? Marrying IT and security in house with your current IT techs. If they can do their job while keeping security in mind, you can do some pretty acceptable things, with some oversight.
Of course, if anything even partially mentioned above or in the above links is the right answer, it’d be very obvious and the idea would take our industry by storm. But none do, which mean none are really the answer for everyone.