I just read this article called 8 Dirty Secrets Of The Security Industry, which seems pretty nasty. Let’s briefly have a look at them:
- Vendors do not need to be ahead of the hackers; they only need to be ahead of the buyer: Wow, this is a bad statement â€“ but how true is it? It might be true. Something I see from time to time: Companies that are making money with the bad things happening tend to reveal the threads and offer immediately the vaccination. So, how true is this statement?
- Antivirus certifications do not require or test for Trojans: I am not an AV specialist but to me these certifications are similar to the crash tests with cars: The vendors exactly know how the crash test is done, therefore the car can be prepared accordingly. Unfortunately the real accident does not follow the rules of the crash testâ€¦ Does this mean they are useless? No, I think there is a certain value in these test but it shall be looked at with care.
- There is no perimeter: Wow, what news J – if you read my blog over the last few months, you realized that this is one of the themes I am promoting since quite some time. Just as an example: Are you ready for your users of the (near) future?
- Risk assessment threatens vendors: This is similar to a statement like “a knowledgeable buyer threatens the vendor”. I think that if you have a vendor that wants to partner with you instead of just looking for the immediate gain, this should not be a problem for the vendor. I am always claiming that you should do your homework and do risk management.
- There’s more to risk than weak software: This is clear as well and we are often talking of the Layer 8-problem: the user!
- Compliance threatens security: This is an interesting statement as a lot of companies think that if they are compliant to xyz they are secure! Nonsense. If you are compliant, you are compliant â€“ that’s it (you might quote me on this J). It reminds me of the ISO 9000 wave a few years ago where every software development department wanted to become ISO 9000 compliant. What I sometimes saw was just a better documented mess and not really a streamlined process. Once they cleaned up AND documented, ISO 9000 made a hell lot of sense. So, it might help to show you the way but it is not the ultimate goal.
- Vendor blind spots allowed for the “Storm” botnet
- Security has grown well past the “do it yourself” stage: Not everybody understood that yet when I look to a lot of customers. Somebody is just doing security as a side-job and this will not work! It is a job for a Subject Matter Expert (might be one with a certification â€“ what about compliance?) â€“ unless you have nothing to protect J
To me, these 8 points are neither dirty nor secrets but definitely interesting to look at.