The fear mongering security specialist
Bruce Schneier (the Chuck Norris of IT security) has recognized long time ago that security these days is a lot about fear mongering and less about actual knowledge. In fact “fear” currently appears 3150 times on his website vs. “security” which appears 7100 times. Could we draw the quick conclusion that IT security is half fear mongering?
Unfortunately we can. IT security is a lot about user education and a lot less about technology. Most serious security companies will recognize that while you can deploy the latest and the greatest security equipment you are still not doing too well on security since your users will loose a laptop, write the password on a post-it on the monitor or leave confidential information laying around and generally will not pay too much attention to the “data” that is so valuable to the company. To further prove the point that security is about users, the ISO27000 family of security standards focus on process and awareness not on technology deployed. This means that as long as employees understand the value and method of handling security you are way better of than dumping budgets on equipment.
However IT specialist continue to buy the most expensive equipment out there. A good example is the company SourceFire. This company was founded by Martin Roesch after the immense success of Snort, an open source IDS/IPS system. Snort has quickly established itself as the de-facto standard for IDS/IPS while still being a free an open source project. While Snort was brilliant it did not penetrate the Enterprise environment. Was support lacking? Maybe. But with 4.000.000 articles on the subject on the internet is a pretty damn-well documented product and we could consider it a non-critical (deploy it next to your old IDS if you want). Something was still missing. Probably it was the CYA factor.
So Martin went ahead and founded Sourcefire. Now Sourcefire offers the same Snort code base deployed on a hardware platform (a server) and security specialists all around the world are loving it. Because it’s a good product? Sure it is. However it costs a lot of money for the same functionality offered by Snort which is free. There are many more reasons to go for Snort: Since you can deploy it on your own server you can also upgrade your hardware as opposed to the commercial version where you’ll need to scrap the hardware in a couple of years. The huge amount of money saved could be used for user education and training technical staff to administer and understand the output of an IDS system. But security specialists will still buy the commercial version. Why?
Training staff is hard (especially changing their mindset), besides it’s almost impossible to measure the effectiveness of such a program. Your fear mongering security specialist will prefer to spend the money on an expensive box (or many of them) which can be designated as “effective” security measure with a high CYA factor. If a security breach is to happen your fear mongering security specialist will justify that he deployed the best technology out there and it’s just an unfortunate act that could not be prevented.
Your fear mongering security specialist fears its own lack of understanding of security. Most of today’s self proclaimed security specialists are in fact second class IT technicians that ride executive’s fear and the media hype. Ironically, each security breach at a company that implements the same dumb strategy as they do only expands their aura.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=c0bf12cd-787d-4b7d-8df2-648d3df7f4e9)
I smell a career in IT Journalism around the corner..! Nice piece, backed up by clear facts.