This builds on the board problem of not funding security adequately because it removes what is likely the biggest proof point to a higher level of adequate security funding.
HP's Chilling Tale
HP's security organization is one of the fastest growing in the company. Growing at an impressive 30 percent year over year in revenue and with one of the largest pools of open jobs, it is moving to fill this group, which was largely built around its ArcSight acquisition, one of the more recent stars in HP's portfolio.
ArcSight is a SIEM company that focuses on security information and event management. HP tends to supply services to the largest and most critical vertical markets in defense, health care and general government. It largely concurred with McAfee that customers' biggest impediment to deploying tools that could identify exposures before Anonymous-like catastrophes occurred was that managers didn't want executives to know how exposed the company was for fear of looking bad.
Pipeline Manager's Scary Story
This isn't just security. I ended up the week talking to a company called Pipeline Manager. It provides a tool for sales that resides on top of Salesforce, which can much more accurately assess the viability of the sales pipeline. It can point out sales people who are in trouble and create a much more accurate view of the near-term future of company sales.
This kind of hit home for me because at IBM I was part of a team that fixed an annual forecasting problem only to get our CFO fired because some idiot controller applied a historical manual adjustment assuming the forecast was wrong even though it wasn't. This caused us to over-forecast significantly and the result embarrassed IBM and resulted in the early retirement of the CFO, who sadly, was one of the best in the company.
The problem for Pipeline Manager, and it is very consistent with the security products, is that sales people don't want executive management to know they are in trouble because it makes them look bad. So they would rather the company take the risk of over forecasting and failure than risk embarrassment.
Wrapping Up: We May Need to Accept That We're Idiots
Here in California, after a series of devastating earthquakes, we put in place building requirements that were to assure survival. Then in the early 90s, after a large number of deaths, these rules were updated. We recently saw Japan crippled because of a tsunami hitting a nuclear plant that was clearly out of date in an area known for massive seismic events.
We build homes in flood areas like New Orleans that aren't designed to survive floods, homes in tornado areas that aren't designed to survive tornadoes and in security we apparently avoid tools that can point out exposures.
I think it is well past time that we consider our behavior and collectively conclude it isn't working and that our businesses and lives are at unreasonable risk as a result. In the end, we should all be making more effort to assess the risks we are taking before taking them (the financial collapse a few years ago is another case in point). In the end, our lives depend on informed decisions, something even Steve Jobs learned the hard way recently, and avoiding tools that can help us make them is terminally foolish.
In the end, this suggests that in each of our organizations and governments there are people actively working against giving us the information we need to make good critical choices. It also suggests that from time to time we are those people. Understanding and eliminating this may be key to both our professional survival and our families' safety.