Sunday, June 9, 2013

Cyber Barkers

Who do you trust? Who can you trust? Could it be that major events that you've heard about on the news regarding major breaches have more, much more to the story than you could ever know? Could it be that the RSA breach involved a Chinese national hired by RSA itself? Could the Israelis have been the hired assassins in the clean-up that followed in the days after the discovery of Stuxnet?

There's a sector of the security industry that slings intrigue to sell products. Anytime I'm on a call with their bigshots, I imagine them pacing around in their walnut paneled dens, wearing smoking jackets, and swirling a cognac.

They have seen ugly things. Uglier than you can even imagine; uglier than they are allowed to reveal. You think you know something, kid?

They are connected. They were talking with three letter agencies just this morning about this very subject... the one we're talking about that's so scary... which agency exactly cannot be revealed.

They have people in Russia, right now in fact, trying to infiltrate a hacking ring that's targeting your industry. There's a lot of indication that your industry is about to be in the cross-hairs much more than they have been so far. Trust me, one of my people abroad... and she happens to be drop-dead beautiful... which helps her get information... I'll tell you stories over a beer sometime... tells me that this is going to hit hard by next year.  Take note... and cover. You've got a bumpy ride ahead.

These are most likely just the stories of sad, pot-bellied guys who eat too much on the road. The worst trouble they run into is probably with their expense reports. But they'd like you to buy it and, most of all, to believe that you need their services to keep your operations top-notch.

The plot of the best Pakula movie is their back-drop. Their wares? Murky.

They'd like you to believe that once you hire them, you'll have briefings not unlike the president gets from the CIA (a much more insidious source of snake oil... but I digress).

But they are more the "like it never happened" guys of CYBER security.  I have no doubt they can get your basement, so to speak, free of horrible smells after an unfortunate back-flow.  (Some seem to be little more than an overly hyped RSS feed.)  But do they mean anything at all to your security program? Can they provide more than having one of your employees join Infraguard? I doubt it.

Why should I be bothered by all of this amusement?

These guys take our eye off the ball. They allow us to check a box on a list and are more of a good luck charm than a true, practical solution.  They validate the narrow, tool buying activities-- the side that treats security like a pathology that requires medication rather than a discipline that requires vigilance.  They make the easier work look more interesting than it actually is.

The true challenge is in software and data security. It's in the architecture. It's fixing the mistakes we've made and embedding security into the day-to-day of every layer of the stack. It's in understanding our responsibilities for the data we're entrusted to handle.

It's time we stop spending so much time on the intrigue while pretending it's real and valuable work. Let's spend our time and money on something more than pop entertainment and innate impulses, like little boys playing guns in the backyard.  Getting serious will be much more difficult and, to many, a lot more dull.  We'll know we're on the right track when it feels more like a challenging university class than a video game.

No comments: