Yet, we are missing something fundamental in the picture.
Would you knowingly build your home with termite-infested wood and water-soluble walls? Would you forego doors and locks and ignore building safety codes - just because you can add a swanky swimming pool with the money you save?
Would you then insist that we hire more security guards, buy more fire sensors, build protective shields on the outside and install props to shore up the insides of this hopelessly vulnerable home?
Absolutely not. Yet, we do it every day, when building our critical IT systems. Aren't we?Well, the problem isn't so obvious with IT systems as with our homes. Neither the systems nor the weaknesses are visible to the naked eye. We can therefore make convenient assumptions on what is good enough security and still not lose sleep at night.
For decades, innovation and IT systems have romanced each other - and focused nearly exclusively on functionality, ease of use, etc. Yes, there have been developments in security - but almost all of them are post-facto solutions. Not built-in security. Not robust-by-design. Not in every component of the system.
Thanks to this approach, we are soon reaching a point where the IT sprawl will collapse on itself in a catastrophic sequence of events. Unless we shift our focus to the process of building the systems in the first place.
Networking technologies are beginning to show this trend in a small way. Computing, not so much. Operating Systems are only scratching the surface with the notable exception of OpenBSD and Kaspersky OS (is it named yet?). Databases, Application Platforms and Application software themselves haven't even begun. How many software professionals have even heard of secure coding? 0.001%? Or less?
We must change now and change quickly. Businesses will not be able to bear the burden of spiraling costs of post-facto and ineffective security solutions for long. We may not perish yet, but that is nothing to celebrate.
No comments:
Post a Comment