Morgan Housel has a post up on why "Finance is a strange industry", reading it I felt that each and every point applies to infosec as well.
"I can't think of another industry in which there is so much ignorance around costs."
Security is complex and costly. Most of the solutions are sub optimal, fraught with tradeoffs. but you'd never know it judging by how companies lurch from silver bullet to silver bullet. Even for something as basic as building a rational security budget is an elusive target.
"I can't think of another industry in which people capable of doing so much harm don't need credentials."
Pretty clear that infosec does not have much in the way of credentials and the ones we do have are usually mocked. Infosec glamorizes the attack side and finding vulns, admiring the problem whereas on the defense side its more boring drain the swamp kind of things.
"I can't think of another industry in which results matter so little."
There's no feedback loop from what works in defending system versus what people do. In fact there is a complete disconnect. Security started with a networkcentric focus and due to the perils of incrementalism, we're still there.
"I can't think of another industry that is so poorly taught in school."
Security isn't so much poorly taught as not taught at all. Even excellent developers do not know what they don't know, a risky proposition. When I do training I am usually training people with zero days of secure coding training. As I say, zero days in, zero days out. Zero days of training in, zero day vulns out.
"I can't think of an industry that is so important to everyone yet so few care about."
Computers are everywhere, but computer security isn't. So far this hasn't been a total disaster, but we are marinating in vulnerabilities and unless we start getting rid of them they will come back to bite. Old vulnerabilities never die, you have to kill them. But to do that, people need to care, its a slog not a glamor detail. That's a problem in an industry that glamorizes rock stars. We need plow horses not show horses.
I am more optimistic on the last one than any of the others. Front page stories every day are having an effect. Security investment is going up, if we can get better at taking yes for an answer, and try some new approaches then things may begin to improve
Comments