« Jeremy Epstein on Governance | Main | MetriCon 2.0 »



If you see it as a binary choice, security industry or no security industry, of course it makes no sense.

If you see it as "the way the IT security industry is presently constituted, is not effective, focuses WAY too much on network security instead of app and data security, and is incredibly reactive and tactically focused." Then you've got it!

Remember the days when if you wanted a seatbelt in your car you had to buy it on the aftermarket and install it yourself? If you knew it was beneficial, and you were willing to put up with ridicule from everybody you knew? Probably you don't, but there were such days, and IT security is in similar days.



Agreed. I am amazed how many people have latched onto the words "we don't need a security industry" and gotten a bit defensive - which for better or for worse is how I read Gunnar's comments.

A mature IT or product development model that incorporates security at the front end and as a normal part of the development process has less of a need for a dedicated security team than a IT model that bolts on security at the back end. I've seen this play out numerous times. Unfortunately its the later that keeps us employed.


jsq- yes, we need manufacturers to put seat belts in cars. but we also need traffic lights, snow plows, and police. to have a safer/predictable driving environment.

tim - i am not defensive, i am a software developer, i help people build security into their systems (what bruce says we should do). i think the security industry has major problems and needs a re-think. i still think it needs to exist on some level.

The comments to this entry are closed.