Security Needs A Culture Change
Innovation alone is not enough. We also need to make it easier for companies to implement more secure systems
In the security world, innovation is badly needed across many areas. Here’s my personal list:
(1) Post-Quantum Cryptography
Quantum computing capabilities are likely to arrive in the next couple of decades, according to researchers in the field. This represents a threat to today’s popular encryption schemes and the security systems that depend on them. Research into post-quantum cryptography is critical.
Security mechanisms need to become more user-friendly. Bad UI design is often the norm in security, which itself creates vulnerabilities.
(3) Easy Roll-Outs
As new security mechanisms become available, we need to find better ways to include them in existing systems without causing major disruptions. If we want people to use the latest technology, we need to make it easy for them to do so.
(4) Research the Boring Stuff
We need to do occasional, brutally honest assessments of our research agendas to make sure we’re not focusing on topics that are interesting to us at the expense of more critical areas of need. For example, we all know we need to ensure that software is adequately tested — perhaps in the way Underwriters Laboratories certifies that new electrical devices are safe to use — yet we’ve made very little progress towards that goal.
It’s no secret that the status quo of patching up vulnerabilities once they’re discovered isn’t enough. But we seem to forget that we’ve passed the point where blocking the latest noted attacks is sufficient. We need to be working on the larger problem of how to design and build stronger systems without neglecting the importance of the day-to-day activities of current security administrators.
As a former security research leader who transferred early results to the commercial product world, I’m fiercely proud of how the first generation of intrusion detection systems and products that assess and manage vulnerabilities improved the IT world. System owners can now view current vulnerabilities and attacks in ways that allow them to deal with these critical operational risks before attackers inflict damage.
Yet I always knew that these technologies were not a long-term solution to security problems. A much bigger lift will come when we finally adopt better practices for how we handle code design and development. We need to find more rigorous ways of designing, testing and checking our code. We don’t use a lot of the tamper-resistant mechanisms available on the market, even when it’s demonstrated that they can significantly reduce the vulnerability of a wide range of systems. We tend to be cavalier in dealing with legacy systems, which can be ridden with vulnerabilities. We have taken decades to implement strong identification and authentication mechanisms. Perhaps most damning is that we allow entities to drive and control markets for security products and services who have no background in security or technology. The recent suggestion that there be a concerted effort to select corporate board members who have expertise in IT security is a first step towards acknowledging this problem. Executives (both government and commercial) should understand IT security risks in the same way that they’re expected to understand other risks of doing business (e.g., financial, legal, operational).
The lesson here is clear: Innovation alone is not enough. We need to improve the rate at which research results enter the real world as tools or techniques — this is what I’m currently working on. And we need to make those new tools easy and compelling to use. Only then will we start to change the culture around security.
The Future of Security Roundtable is a Google-sponsored initiative that brings together thought leaders to discuss how we can best protect ourselves from the data breaches and security risks of tomorrow. Panelists are not affiliated with Google, and their opinions are their own. Read the post that kicked off the roundtable here and feel free to join in the conversation.