My initial coverage of RSA started with a report out of EMC and Carnegie Mellon, which found that the majority of boards weren't putting adequate effort into securing their companies. From there, things went downhill as meetings with McAfee and HP clearly showcased that companies were actually avoiding technology that could keep them safer. Similar to decisions people make to avoid medical checkups because they are afraid of what might be found, this behavior is just as suicidal.
This behavior also appears to be baked in because this week started with various stories about people's risky behavior and the resulting consequences. After all, one person taking an unreasonable risk puts everyone near them at risk as well.
This has led me to conclude that I've found the problem and it is us.
EMC Report: Boards Don't Care About Security
I won't cover the report again in depth - I did that here - but it clearly points out that in the face of unprecedented attacks reaching government-level funding, boards aren't escalating security to a level consistent with protecting their firms. In fact, on reading between the lines, they appear to be avoiding putting in place systems that could just monetize the risk they are taking. I'm beginning to doubt whether many are aware that only a fraction of the attacks are actually reported and they appear to be taking an all-too-common stance that the odds seem to favor their firm not being hit in the first place.
Security firms, which are clearly overwhelmed, have consistently said there are two types of companies in today's world: those that have reported being compromised and those that haven't yet discovered they are compromised. To make this even more clear, the odds, according to the folks collecting the data, of being penetrated aren't 1, 5, 20, 50, 80 or even 90 percent. They are 100 percent. I could see not getting disaster insurance if the chance of being hit by a tornado was less than 1 percent, but if it were 100 percent, folks might want to consider building bunker homes that could survive the event - yet, here in the business world, we are actually doing neither.
McAfee's More Chilling Comments
McAfee has been collecting an impressive set of solutions and, of the standalone security companies, enjoys the unique advantage of both being backed by Intel but also in increasingly being able to imbed its technology into Intel's, resulting in an unprecedented level of protection. It, along with others, is tracking a massive increase in code insertion attacks against enterprise databases that are successful largely because Web front ends to those databases are defective.
Because these front ends are often created by consultants or line of business units, IT is generally unaware of the exposures that require a near-trivial skill level to exploit. Apparently, exacerbating this is a trend of taking a website you like and copying the code to make the changes necessary to customize the appearance. This means that, like a virus, these exposures are migrating from company to company and IT is blissfully unaware.