11 Truths the security industry hates to admit
Rich Mogull wrote an excellent column over at Dark Reading:
11 Truths the security industry hates to admit. The full text is up, a summary (with my comments) is included here.
1. Signature based desktop antivirus is an addiction, not effective security.
Could not agree more; signature-based automatically means that you're behind in the race. Unfortunately, heuristics or behavior-based algorithms are not as reliable as signatures are. The question is: do they really have to be?
2. The bad guys beat us because they're agnostic and we're religious.
My IDS is better than yours!
3. Antitrust concerns force Microsoft to weaken security.
Agreed-- but then again; security is only one quality aspect of the overall IT landscape. In this case, I do feel that a more heterogeneous landscape trumps integration.
4. Vendors are like politicians - they lie to us because we ask them to.
well, doh :)
5. We're terrible at talking to, or understanding, those that fund us.
Yup. Usually because we (on the receiving end) perceive funding as a deity-given right and anyone who holds it back from us has to be the anti-deity. Obviously, that perspective is "somewhat flawed".
6. Security researchers need to grow up.
Amen. Security research should be less about ego and more about actually improving the state of the world.
7. Security companies make more money when there are more incidents.
Fear sells.
8. Network security is the result of a mistake, not an industry worth perpetuating.
Agreed, but network security is just one layer in the multi-layered approach. Information security (which in my view encompasses network security, computer security and sociological security) is very much alive.
9. Disclosure is dead.
Not sure what Mogull means here.
10. Momentum will destroy us, until it doesn't.
Deep. Not sure I understand this one either
11. We can't fail.
Flamebait :)
11 Truths the security industry hates to admit. The full text is up, a summary (with my comments) is included here.
1. Signature based desktop antivirus is an addiction, not effective security.
Could not agree more; signature-based automatically means that you're behind in the race. Unfortunately, heuristics or behavior-based algorithms are not as reliable as signatures are. The question is: do they really have to be?
2. The bad guys beat us because they're agnostic and we're religious.
My IDS is better than yours!
3. Antitrust concerns force Microsoft to weaken security.
Agreed-- but then again; security is only one quality aspect of the overall IT landscape. In this case, I do feel that a more heterogeneous landscape trumps integration.
4. Vendors are like politicians - they lie to us because we ask them to.
well, doh :)
5. We're terrible at talking to, or understanding, those that fund us.
Yup. Usually because we (on the receiving end) perceive funding as a deity-given right and anyone who holds it back from us has to be the anti-deity. Obviously, that perspective is "somewhat flawed".
6. Security researchers need to grow up.
Amen. Security research should be less about ego and more about actually improving the state of the world.
7. Security companies make more money when there are more incidents.
Fear sells.
8. Network security is the result of a mistake, not an industry worth perpetuating.
Agreed, but network security is just one layer in the multi-layered approach. Information security (which in my view encompasses network security, computer security and sociological security) is very much alive.
9. Disclosure is dead.
Not sure what Mogull means here.
10. Momentum will destroy us, until it doesn't.
Deep. Not sure I understand this one either
11. We can't fail.
Flamebait :)