I am with Pete Lindstrom on this because, well, crikey, it makes no sense - Schneier says - we don't need an IT security industry. Its a big historical accident. Programs should just be naturally secure. Uuuhhhmm...okkk....that's great and all, we'll just move all our lives, assets, money, businesses, and stuff to the digital world and these perfectly secure programs will magically protect them all. If ifs and buts were candy and nuts, we'd all have a Merry Christmas.
Except in real life these things don't protect themselves either, we seem to spend 500 billion USD annually on the military, plus law enforcement, fraud detection, and so on, because we have assets that need to be protected (I have never seen (so far) a $100 bill defend itself from a criminal, this may be a utopian vision, but perhaps with sufficient nanotechnology in my lifetime...sheesh). Some percentage of what your asset is worth gets put towards protecting it. Our assets are increasingly digital. Oh yeah, and no one has actually figured out how to write/deploy/scale secure programs either (want to be secure? buy a firewall...want to be twice as secure? buy two!)...the US navy exists today not to fight wars, but to keep supply routes open for commercial ships (many of which are not US ships), the ships, the ocean, and the shipping lanes are not "naturally secure". You know why? Because nothing is!
Why did Brazil never have wars? he wondered. Brazil was a really big country on a big American continent. How come Brazil had no enemies? It didn't make sense... Brazilians didn't invent much. Well, that explained it. -Bruce Sterling, Zenith Angle
I do agree that the way the IT security industry is presently constituted, is not effective, focuses WAY too much on network security instead of app and data security, and is incredibly reactive and tactically focused. So the lineage of how we got here versus the real issues needs to be addressed going forward; but that is a lot different from saying that these products and services will just secure themselves.
The pharmaceutical industry is just an historically accidental aftermarket that cropped because human bodies are not naturally resilient.
Dentistry is just an historically accidental aftermarket that cropped because teeth are wimpy.
Insurance is just an historically accidental aftermarket that cropped because people should know when they are going to die/get sick/have a fire in the house.
If you see it as a binary choice, security industry or no security industry, of course it makes no sense.
If you see it as "the way the IT security industry is presently constituted, is not effective, focuses WAY too much on network security instead of app and data security, and is incredibly reactive and tactically focused." Then you've got it!
Remember the days when if you wanted a seatbelt in your car you had to buy it on the aftermarket and install it yourself? If you knew it was beneficial, and you were willing to put up with ridicule from everybody you knew? Probably you don't, but there were such days, and IT security is in similar days.
-jsq
Posted by: jsqrisk | May 10, 2007 at 08:13 AM
Agreed. I am amazed how many people have latched onto the words "we don't need a security industry" and gotten a bit defensive - which for better or for worse is how I read Gunnar's comments.
A mature IT or product development model that incorporates security at the front end and as a normal part of the development process has less of a need for a dedicated security team than a IT model that bolts on security at the back end. I've seen this play out numerous times. Unfortunately its the later that keeps us employed.
Posted by: tim | May 10, 2007 at 09:24 AM
jsq- yes, we need manufacturers to put seat belts in cars. but we also need traffic lights, snow plows, and police. to have a safer/predictable driving environment.
tim - i am not defensive, i am a software developer, i help people build security into their systems (what bruce says we should do). i think the security industry has major problems and needs a re-think. i still think it needs to exist on some level.
Posted by: Gunnar | May 10, 2007 at 10:19 AM