the blame game of 2010 has already begun

Mogull over at Securosis points out an article on a lawsuit against a POS vendor and implementor for passing on insecure systems that violated PCI. Or something to that effect.

Either way, this is a Big Deal. This is something I’ve been patiently waiting for over the last couple years as PCI has gained traction.

I’m a little early, but I believe 2010 will be the year that The Security Blame Game becomes further legitimized as a business model. In other words, I feel that we’ve long had a quiet blame game when it comes to security, but as more becomes required to disclose and more cost is moved around from party to party, the quiet blame game is going to get very public, very annoying, and very costly.

Which is especially scary because security is not a state or achievement. You’ll end up with impossible contracts and a bigger gulf between what people think is secure and what is actually in place. And it will be shoved deeper into the shadows when possible. And compliance will continue to be questioned despite the improvements and exposure it can provide.

Here are some other observations I expect to hear more about in 2010:

  • more exposure of stupid configurations, implementations, and builds of “secure” systems
  • industry needs to clean out the security charlatans, and cost/lawsuits have to do it
  • more pressure to do security “correctly” which is far more costly than most realize

And one thing I *hope* happens more:

“Turnkey” security tools whose vendors brag that you just turn them on and let them loose (sometimes with one-time tuning) and you’re secure. And you don’t need staff or extra business process or ongoing costs other than licensing. Bullshit. Every security technology needs analysts at the dashboards, at the very least. Hell, even in just plain old IT operations, far too many issues and incidents are found by third parties or by accident when looking at something else. It’s an epidemic (and an indirect product of economics) that will not begin to go away. I really hope the idea of security process continues to be foremost, and the idea that something is “secure” begins to die. I doubt the latter will ever happen, as it has been decades so far in computing; and longer in the realms of security in general. I’m not saying we need to solve security, in fact I want to say we need to solve our perception of it, so that we don’t actually ever ask or expect to “solve” security…

One thought on “the blame game of 2010 has already begun

  1. Agreed on the Big Deal assertion.
    The “system” needs precedent and a commonly understood “process” for how the buck gets passed. Once that’s all ironed out (i.e. the lawyers have exhausted 80% of all exceptions) then we’ll really see who needs to cover their, um, various bodyparts.

Comments are closed.