Are IT Vendors Paid To Fail?
The heading links to an article I wrote over a year ago. Discussions that followed concluded that security will always be trumped by cost and convenience. Never becoming a deal-breaker. Be that for corporate or private purchases.
Based on economic logic, that provides vendors with no motivation to invest in secure design.
An assertion supported by figures in the latest Trustwave Security Pressures report, where 77% of IT professionals surveyed said they felt under the cosh to deliver inadequately secured solutions.
Then, this happened:
[tweet https://twitter.com/S_Clarke22/status/594410404610211840 hide_thread=true width=’900′]
So there are CXOs out there with integrity (or more fairly, the clout to challenge the short-term profit motivated status quo). Then there’s this:
[tweet https://twitter.com/seancostigan/status/594801122457575424 hide_thread=true width=’900′]
The potential for reputation destruction is at it’s most extreme in the security trade and security bodies consuming solutions feel that acutely. That mustn’t detract from what WhiteHat are doing, hats (appropriately) off to them and may many more (Adobe, Microsoft) follow.
Whether they will or not is down to sufficient confidence in their products and services. If they have a tendency to break, it just won’t be cost effective. There also has to be huge motivation to abandon the belief that backfilling (some) security during next phase development (paid for by extortionate support contracts for the holey stuff), is Ok. The business built up around that is incredibly lucrative.
Will enough corporate and private consumers (outside the world of security pros and other paranoid folk), ever vote with their feet? If they don’t, because security just doesn’t matter enough, how can vendors be pushed to re-examine how things are done?
More government sponsored standards and other industry regulators? Is that really the best way? PCI DSS, often offered up as a best in class security standard, certainly hasn’t done all that was hoped. So is there a lever to make both the CXO and joe public eschew ropy kit, software and security services? I choose to keep faith, but right now very little looks set to change.
It is a hunt for economic and psychological weapons that let us go head to head with the money gods on their own turf
Why does this matter?
Risks, when insecure solutions are sold, get passed on to the consumer. Consumers who have little or no legal recourse. Recent class action lawsuits against Sony and others are a possible sign of the tide turning…well maybe, if the notoriously tech-savvy judiciary can settle on a useful definition of harm.
Not only that, the cumulative effect of shipped vulnerabilities impacts the security of industries, populations and nations as a whole. No one entity can mitigate this, so security has to start at home. On that subject the below questions apply equally to selling security to your own board. They, just like the population at large, are motivated by savings and speed.
A sustainable status quo?
There are laws and regulations that apply variably to different sectors. Companies will also have more or less well framed security policies. There’s great scrutiny of compliance in financial services (albeit intermittently, if internal risk assessment isn’t mature), but little for retail.
In retail, where we have seen the most and biggest recent breaches, they are left relatively free to self-police their security and privacy controls. There’s little statutory and regulatory control beyond payment card rules (where applicable), data protection and high level computer misuse law. We also need to recognise that there is often a gulf of difference between those legal and regulatory minimums and what could and should be done to safeguard consumers against current threats to their security, digital safety and privacy.
This is relevant to any number of IT and non-IT products and services and with the Internet of Things, secure design of products and services has never been so vital.
I am looking for insights from Marketing, Sales, Legal, Information Security, Psychology, Behavioural Economics and any other interested parties as research for a follow up article to that post at the top.
As provocation, here are a few related questions:
- Will security and/or privacy ever be a deal-breaker for product and service sales?
- If not, why not?
- If you think it will, in which industries and for what kind of products?
- Which demographics are most likely to prioritise security and privacy in buying decisions?
- Are vendors motivated to adhere to legal and regulatory minimums for security and data protection?
- Are vendors motivated to go beyond minimum security and data protection requirements to assess and mitigate the real level of risk?
Ways to respond:
- Feel free to email me sarah.clarke@infospectives.co.uk*
- Or comment below
The intention is to shape feedback into an article for a security trade site where all non-anonymous contributors will be acknowledged. Should you prefer not to be specifically quoted, or prefer to be quoted anonymously, please let me know. Your response and identity may be used to inform my opinion, but details will be kept secret and secure.
So what do you think? Will security ever matter enough?
*PGP encryption can be used for added privacy.