Old ways of thinking a barrier to security

Security companies survive by talking up threats and selling sticking plasters. It's their turn to feel insecure
Written by Leader , Contributor

For people whose job is keeping us safe, security companies are peculiarly unloved. Some of that is unfair: when security works, it's invisible, and the only time it's thought about is when cheques are written or systems have failed.

Yet the security industry does itself no favours by overhyping threats. The latest prognostication from Kaspersky that "ransomware" is going to encrypt our hard disks with menaces will terrify anyone — unless they've backed up their data. Anything and everything has been identified as the next big threat, but from mobile phones to iPods to the Macintosh, they've stubbornly refused to play. We shouldn't be surprised that reality refuses to conform to the marketing diktats of the big security companies, nor that they should try so desperately to convince us otherwise.

We don't need a security industry. Indeed, its existence is a sign of failure. Like the boy in the bubble, it embodies a false hope — that we can cut off reality through an impervious shield. Such a shield can never work: instead, we need to be intrinsically secure, our immunity part of our system.

That is why RSA president Art Coviello should be correct when he predicts the end of nearly every security company currently in business. He rightly berates them for their smug self-righteousness and reactionary philosophy. The answer, he says, is for networks and storage systems to keep data safe through strong encryption and smart usage monitoring.

His model, also known by the unlovely eight-syllable deperimeterisation, is intuitively correct: a threat is no threat if it can do no damage when it arrives. It also works well with our new default way of working — connecting to core business services through random points on the public internet, often from hardware completely outside the control of the organisation. The barrier method is the wrong answer here.

Our main problem in moving forward is the elephantine inertia of the status quo. The tentacles of multibillion companies are firmly entwined with retail channels and corporate budgets, feeding off ignorance and fear rather than logic and experience. It remains within their power to reinvent themselves — to form new alliances, new approaches. If they don't, then they risk becoming ever more marginalised. The industry is evolving — and they are very far from immune.


Editorial standards