The consumerization of security

Increasingly, commentators are calling into question the state of information security. It’s about time. We infosec professionals need to take action before our customers force us to.

Standard security is just not intellectually secure. Information Security Management Systems and security audits are based on discredited quality management frameworks like ISO 9000 and waterfall methodologies. The derivative PCI-DSS regime mitigates accidental losses and amateur attacks but is farcically inadequate in the face of organised crime. The economics of perimeter security are simply daft: many databases are now worth billionsof dollars to identity thieves, but they’re protected by meagre firewalls and administrators with superuser privileges on $40K salaries. Threat & Risk Assessments have their roots in Failure Modes & Criticality Analysis (FMECA) which is hopeless in the highly non-linear and unpredictable world of software, where a trivial mistake in one part of a program can have unlimited impact on the whole system; witness the #gotofail episode. Software is so easy to write and businesses are so obsessed with time to market that the world now rests on layer upon layer of bloated spaghetti code. The rapidity of software development has trumped quality and UI design. We have fragile home computers that are impossibly complex to operate safely, and increasingly, Internet-connected home appliances with the same characteristics.

We can’t adequately protect credit card numbers, yet we’re joy-riding like a 12-year old on a stolen motorcycle into an Internet of Things.

We’re going to have to fix complexity and quality before security stands a chance.

Maybe the market will come to the rescue. Consumers seem to tolerate crappy computer quality to some degree, doubtless weighing up the benefits of being online versus the hassle of the occasional blue screen or hard drive crash. But when things like cars, thermostats and swimming pool filters, which don’t need to be computers, become computers, consumers may make a harsher judgement of technology reliability.

Twenty years ago when I worked in medical device software — pre-Internet, let alone the Internet of Things — I recall an article about quality which predicted the public would paradoxically put up with more bugs in flight control software than they would in a light switch. In a way, that analysis predicted one of the driving forces for technology today: consumerization.