We've Found the Enemy and It Is Us

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

My initial coverage of RSA started with a report out of EMC and Carnegie Mellon, which found that the majority of boards weren't putting adequate effort into securing their companies. From there, things went downhill as meetings with McAfee and HP clearly showcased that companies were actually avoiding technology that could keep them safer. Similar to decisions people make to avoid medical checkups because they are afraid of what might be found, this behavior is just as suicidal.

This behavior also appears to be baked in because this week started with various stories about people's risky behavior and the resulting consequences. After all, one person taking an unreasonable risk puts everyone near them at risk as well.

This has led me to conclude that I've found the problem and it is us.

EMC Report: Boards Don't Care About Security

I won't cover the report again in depth - I did that here - but it clearly points out that in the face of unprecedented attacks reaching government-level funding, boards aren't escalating security to a level consistent with protecting their firms. In fact, on reading between the lines, they appear to be avoiding putting in place systems that could just monetize the risk they are taking. I'm beginning to doubt whether many are aware that only a fraction of the attacks are actually reported and they appear to be taking an all-too-common stance that the odds seem to favor their firm not being hit in the first place.

Security firms, which are clearly overwhelmed, have consistently said there are two types of companies in today's world: those that have reported being compromised and those that haven't yet discovered they are compromised. To make this even more clear, the odds, according to the folks collecting the data, of being penetrated aren't 1, 5, 20, 50, 80 or even 90 percent. They are 100 percent. I could see not getting disaster insurance if the chance of being hit by a tornado was less than 1 percent, but if it were 100 percent, folks might want to consider building bunker homes that could survive the event - yet, here in the business world, we are actually doing neither.

McAfee's More Chilling Comments

McAfee has been collecting an impressive set of solutions and, of the standalone security companies, enjoys the unique advantage of both being backed by Intel but also in increasingly being able to imbed its technology into Intel's, resulting in an unprecedented level of protection. It, along with others, is tracking a massive increase in code insertion attacks against enterprise databases that are successful largely because Web front ends to those databases are defective.

Because these front ends are often created by consultants or line of business units, IT is generally unaware of the exposures that require a near-trivial skill level to exploit. Apparently, exacerbating this is a trend of taking a website you like and copying the code to make the changes necessary to customize the appearance. This means that, like a virus, these exposures are migrating from company to company and IT is blissfully unaware.

McAfee has developed one of the more comprehensive tool sets to identify escalation of privileges, code insertion and unauthorized access in real time. But it also has one of the leading tools to scan the enterprise and report unsecure endpoints. One of its biggest problems in closing sales of this tool is that executives are afraid that the report will make them look incompetent. It may showcase that the enterprise isn't secure, which will reflect on their competence unfavorably. Given their limited resources, they would rather not know how exposed they are than know but not have the resources to correct the problems in a timely fashion.

This builds on the board problem of not funding security adequately because it removes what is likely the biggest proof point to a higher level of adequate security funding.

HP's Chilling Tale

HP's security organization is one of the fastest growing in the company. Growing at an impressive 30 percent year over year in revenue and with one of the largest pools of open jobs, it is moving to fill this group, which was largely built around its ArcSight acquisition, one of the more recent stars in HP's portfolio.

ArcSight is a SIEM company that focuses on security information and event management. HP tends to supply services to the largest and most critical vertical markets in defense, health care and general government. It largely concurred with McAfee that customers' biggest impediment to deploying tools that could identify exposures before Anonymous-like catastrophes occurred was that managers didn't want executives to know how exposed the company was for fear of looking bad.

Pipeline Manager's Scary Story

This isn't just security. I ended up the week talking to a company called Pipeline Manager. It provides a tool for sales that resides on top of Salesforce, which can much more accurately assess the viability of the sales pipeline. It can point out sales people who are in trouble and create a much more accurate view of the near-term future of company sales.


This kind of hit home for me because at IBM I was part of a team that fixed an annual forecasting problem only to get our CFO fired because some idiot controller applied a historical manual adjustment assuming the forecast was wrong even though it wasn't. This caused us to over-forecast significantly and the result embarrassed IBM and resulted in the early retirement of the CFO, who sadly, was one of the best in the company.


The problem for Pipeline Manager, and it is very consistent with the security products, is that sales people don't want executive management to know they are in trouble because it makes them look bad. So they would rather the company take the risk of over forecasting and failure than risk embarrassment.

Wrapping Up: We May Need to Accept That We're Idiots

Here in California, after a series of devastating earthquakes, we put in place building requirements that were to assure survival. Then in the early 90s, after a large number of deaths, these rules were updated. We recently saw Japan crippled because of a tsunami hitting a nuclear plant that was clearly out of date in an area known for massive seismic events.

We build homes in flood areas like New Orleans that aren't designed to survive floods, homes in tornado areas that aren't designed to survive tornadoes and in security we apparently avoid tools that can point out exposures.

I think it is well past time that we consider our behavior and collectively conclude it isn't working and that our businesses and lives are at unreasonable risk as a result. In the end, we should all be making more effort to assess the risks we are taking before taking them (the financial collapse a few years ago is another case in point). In the end, our lives depend on informed decisions, something even Steve Jobs learned the hard way recently, and avoiding tools that can help us make them is terminally foolish.

In the end, this suggests that in each of our organizations and governments there are people actively working against giving us the information we need to make good critical choices. It also suggests that from time to time we are those people. Understanding and eliminating this may be key to both our professional survival and our families' safety.