Monday, August 6, 2012

Defect Acceptance

Cybersecurity has been a hot topic for over a decade and only seems to be getting hotter.  When I meet new folks and mention being "in" information security, I cringe when I hear the standard response, "Oh, that's a really hot field.  I bet that there are a lot of opportunities for someone like you."  Well, yes and no.

Let me first point to a fairly good recent editorial over at the New York Times.  The article opens with an incredibly appealing line:

Relentless assaults on America's computer networks by China and other foreign governments, hackers and criminals have created an urgent need for safeguards to protect these vital systems.

What a great statement!  Fear and uncertainty all captured succinctly to the delight of all security professionals.  Watch as we all laugh privately as if listening to an inside joke.

The joke?  Only security folks and the media actually seem to care.  Sure, corporate and government executives are "fully behind" the need to stop businesses from losing "billions of dollars annually" as the NYT editorial, but their actions continue to betray their reluctance to actually do anything to protect information systems.  

I call it the "smile and nod" response.  Try this.  In your next discussion with a senior business person, when talking about planning, just stand up, point to the ceiling, and say "Security!" with an authoritative tone as if you just had a great innovative idea.  I'm willing to bet that the standard response will be to smile, nod, and say something to the effect of "Security is very important to our organization."  Then, ask what you can do to support the organization's security mission and the response will likely be "that's something for another department to figure out."

The response is a symptom of a broader problem.  We think of security as something that needs to be "corrected" versus something that we need to "capture."  Perhaps its the nature of a growing sense of individual entitlement where we believe that we're simply better than anyone else and that we can do no wrong.  With so many young people becoming millionaires and billionaires in information technology without subjecting themselves to the rigors of a formal education, who can blame the culture for developing an inherent sense of teenage invulnerability?  When bad things happen, they happen to other people.  When they happen to me then someone else needs to fix something.

Business is owned, security is corrected.  The former is proactive while the latter is reactive.  Until organizations integrate security into their business objectives they will be unable to truly capture security.

The most significant indication that organizations have failed to take ownership of security as a business imperative is in how they have evolved to expect rapid evolution in IT capabilities, features, and functions and willingly accept the associated defects.  

IT has become an organizational commodity.  But, as a commodity, it is unique in that the industry has succeeded in making organizations comfortable with receiving and using defective products.  Organizations demand new functions and reward IT companies for maintaining high-frequency go-to-market strategies.  But, when defects are identified or vulnerabilities identified, organizations fail to hold the manufacturers responsible.

Microsoft is probably the best and most historical example of this trend.  Despite widespread software defects that lead to serious security vulnerabilities, Microsoft continues to be the largest software developer in the world.  Why?  Because organizations consider the Microsoft Windows operating system and Office productivity suite to be commodities, tools necessary to carry out every moment of most business functions.  Organizations are now so accustomed to the frequent software "patches" meant to correct defects that they generally ignore them as Microsoft has moved to make updates so transparent that they are nearly invisible to most users.  

In a way, Microsoft became an early pioneer of a "Defect Acceptance" philosophy.  Rather than take the time and expend the resources to develop a quality product, they effectively redefined "quality" in the IT context to be "functional" versus "sound."  This differs from other business commodities such as vehicles and physical infrastructure where people expect sound and safe function, holding manufacturers accountable for defects.  

Microsoft is far from being alone and I intend only to use it as a prominent example of a trend that parallels its rise.  Every software company that I'm aware of produces defective products and routinely corrects defects through software patches.  Then, they leave it to the responsibility of the organization to maintain the software products.  And, organizations have accepted that responsibility!

It's that acceptance not only of defective products but of the responsibility to compensate for those defects that impedes the ability for most organizations to own information security.  As a security professional, I have a tough time making a case for corrective security measures when the organization doesn't recognize that there are any significant problems.  But, as a business person, I also don't believe that organizations should be judged poorly for their acceptance.  

As another project, I challenge you to think about one major security breach that caused an organization to fail or even face significant losses.  Sony faced one of the most highly publicized breaches of its Playstation Network in 2011 and barely missed a beat, retaining subscribers and the revenue that they generate.  Based on my admittedly anecdotal review of usage statistics, no one when dumping their Playstations in the trash or disconnected themselves from the gaming network.  With a slap on the wrist, they simply said "Bad Sony" and then continued using the service.  That outcome repeated itself shortly thereafter when it happened AGAIN!

If organizations are not facing collapse or even severe financial risk then how would we impress upon them the need to take ownership over security?  Rather than rattle off the same old fear, uncertainty, and doubt (FUD) arguments to try and force organizations to take security "seriously" by demonstrating ownership over it, perhaps we should focus first on eliminating the culture of defect acceptance.  Until we succeed in addressing security as part of a broader business imperative organizations will have no significant motivation to own it and security professionals such as myself will continue to laugh at our own jokes.