« XML Security Gateway Evaluation Criteria Project | Main | Understand Web 2.0 Security Issues - As Easy as 2, 1, 3 »

Comments

Iang (Market for Silver Bullets)

> “Is the Jones family really the goal?” I asked myself.

The reason that security people do what their competitors are doing is because they cannot explain what is right and proper. In such an environment, they have to CYA by doing _best practices_ which naturally emerge to be a standard set (it doesn't matter what the best practices are, only that they exist). Best practices secures the jobs of the security people, because there is nothing, apparently, better that they can do. Problem solved.

(I call this the market in silver bullets.)

The underlying problem then becomes one of knowing what security is and how to improve that knowledge. For this reason, secondary disclosure of breaches is very interesting; if we can disclose our breaches to our competitors, then our knowledge can improve.

Unfortunately, breach disclosure suffers from a prisoner's dilemma, as we only benefit if we all exchange the information, and we don't lose if we cheat.

The comments to this entry are closed.