The immature security industry

I was having a discussion the other day with a peer around the usual question of “If you could give out one piece of security advice what would it be?”

Usually, I have a hand-wavy answer about password managers or auto updates, but this time I stopped and really thought about this. As an industry we try to lump all security into one bucket and solve all problems. I’m not sure why it was different this time, but it really made me think about the fact that security isn’t one bucket, it’s a lot of different things, I have a feeling trying to put everything together is a big part of our problems. Trying to lump all problems together strikes me as a sign that the industry is immature today.

Nearly every profession has certain specialization associated with it. There are many different types of doctors for example. Nobody would expect a radiologist to be conducting open heart surgery, nor would they even try. The medical profession seems to have a solid grasp on what they can and can’t do. A lot of professions have a grasp on this now that I think about it. We don’t let electrical engineers build bridges. Security seems to lack this level of maturity.

I know a lot of security teams who seem to believe if something is vaguely related to security, they should own it. If the application has a buffer overflow it’s quite confusing to think a team that has quite literally never checked out the source code is in any position to be leading that effort. Of course, such a security team could still offer some level of assistance but believing they should own the process around coordination and remediation in this instance is a little silly.

This behavior is a sign of an immature industry. There was once a time when your barber and your doctor were probably the same person. Many of these “experts” were self-taught using what is probably a very generous definition of “taught.” This thought terrifies me today on many levels. Nobody would ever suggest this is a good idea anymore. It probably considered OK at one time because nobody knew any better. The entire medical field was very immature and lacked standards. We of course now know this was a horrible idea and would never try to do such things again.

So, if we tie this back to security it should be obvious we can’t have one team trying to do everything. A lot of security teams and people try to be barber-physicians which is going to end badly for most patients. We must understand that there is a lot of context around what security means in any given situation. The problems and needs for securing a desktop have very little in common with how to develop secure code. There will always be some overlap but there is probably more different than there is the same. Your surgeon probably has a scissors, but they shouldn’t be giving out haircuts.

The two areas I thought of right away are application security and user security. Both are very important obviously and both have different suggestions if I was going to pick out the top 2 things that could have the most impact. If I was asked to the two most important bits of overall security advice I can’t, the field is just too broad. Now if I was asked to give two bits of advice for each of those topics I think there are some answers. We can of course debate what those answers are but that’s a discussion that makes sense, so I welcome it.

We also like to get in the weeds when we discuss topics like this. When discussing user security, I would say the two biggest things that one could do to improve security are using a password manager and enabling two factor authentication. There are plenty of people who will find many reasons to distrust password managers. I’ve even found people who don’t like two factor authentication for a variety of reasons (true story). There are always edge cases, if you are an edge case and some bit of advice doesn’t work for you, that’s OK. It also doesn’t mean that’s a reason to throw everything out. Things that are an improvement for the majority are generally worth it. Some people are allergic to latex gloves, that doesn’t mean doctors stopped using gloves, it just means they treat those patients differently.

So, the question now is how many possible categories are there to break security into? If we can break this general field up into pieces that make logical sense perhaps we can start to uncover some of the fundamentals. We can’t solve problems we don’t understand.

The 2018 RSA conference has 28 tracks to categorize various sessions. While it can be argued if all those make sense it doesn’t really matter, the more important point is that there are going to be a lot of categories. Certainly, more than ten. Do you know any organizations that have ten security teams? A lot of organizations don’t even have ten security people. We can also wonder if many of these classifications should require security teams or just be functions of existing teams. It’s turtles all the way down.

All hope is not lost luckily. Security is an industry that is starting to mature if you’re paying attention. A lot of conversations are moving away from blaming users and pointing fingers towards understanding fundamental problems. For example, while many of us distrust and dislike the idea of regulation, there are things like GDPR coming that while imperfect gives us a starting point. Nothing is ever perfect right away, we must give regulation time to work itself out.

We can again use medicine as our parallel here. The field of medicine didn’t progress drastically until the 19th century. Then it probably made more progress in 200 years than it did in all of history before that. In fact, you could easily argue the largest advances have come in the last 50 years. The lesson in this history is one of using actual data and science to first understand, then to solve problems instead of relying on what we now call witchcraft.

It will likely take many years to move us to a point where we will have an actual security profession with various specialties. I do look forward to this day coming as it means we will have solved a number of the problems that plague us today as an industry. Security is going to only become more important, the sooner we start to solve fundamental problems the better.