The real problem with the security industry


Ask a security professional about information security challenges, and you’ll get an earful complaints about everyone else: Users click on bad links and open attachments, developers release buggy code, IT lags in applying software patches, the C-suite doesn’t understand security priorities, and so forth.

But the truth is that IT is figuring out how to work with developers and, today, many enterprises are starting to take user training seriously. It’s security professionals who fail to collaborate, because they’re too busy pointing out all the things everyone else is doing wrong.

Case in point: Last week, when I was at the RSA Conference in San Francisco, the DeveloperWeek conference was underway nearby. At the latter conference, I could find only one security-related talk on the schedule — Pete Chestna, Veracode’s director of developer engagement, talked about how security was the next opportunity for developers. Veracode also had two workshops at DeveloperWeek on how the company approaches DevSecOps (the integration of devops and security).

To me, it’s astounding that none of the usual experts who rail about software vulnerabilities and application security made their way to DeveloperWeek. It raises the question of just who these companies are selling to if they aren’t talking to developers.

— but ever since the company axed its Trustworthy Computing Group in 2014, it has practically disappeared from the security conversation. Microsoft rationalized the shutdown at the time saying that security needed to become part of each product team, instead of maintaining an overarching domain.

It’s a stark change from when Microsoft launched Trustworthy Computing back in 2002, when then-chairman Bill Gates wrote in the company-wide memo, “We must lead the industry to a whole new level of Trustworthiness in computing.”

, but in many security areas, it still follows industry trends — an early adopter, to be sure, but it isn’t blazing new trails. Plenty of innovative security startups tackle big challenges, but none have the kind of mindshare Microsoft had, in part because they target specific issues. Mozilla used to be a security darling, but it hasn’t used its megaphone in a while.

That leaves us with Google. In a way, Google fits the pattern Microsoft set, using its dominance in search and the popularity of its Chrome web browser to push everyone else to adopt better security. Google was the first to declare that its browser will no longer trust websites still using insecure SHA-1 certificates. It has pushed certificate authorities to adopt Certificate Transparency, primarily because the company kept discovering fraudulent digital certificates being issued for its properties. It has made libraries available for developers interested in taking advantage of Chrome’s support of FIDO standards for authentication.

It’s also pulling back the curtain on how it tackles security internally, such as its recent whitepaper discussing its rollout of hardware security keys to its employees to handle multi-factor authentication. Shortly after the disclosures by Edward Snowden on how the National Security Agency tapped data center connections to intercept internet traffic, the company encrypted all its internet traffic, in and out of the data center.

At the RSA Conference, Google discussed its seven-year rollout of the BeyondCorp framework, where the network is considered untrusted and trust is based on what the company knows about users and devices connecting to the network. BeyondCorp starts with the acceptance that perimeter defenses like firewalls and other trusted network security equipment are ineffective when employees use myriad devices and are constantly moving around in and out of the network.

Despite all that, Google tends to take a go-it-alone approach. It’s not really cultivating a partner ecosystem with the idea of tackling security problems together. It uses its market position to make security pronouncements, leaving other companies to decide whether or not to follow suit. The company shows off its successes via whitepapers, which takes the tone of: “Everyone does this wrong, but we alone know how to do it right.”

In today’s dog-eat-dog world, perhaps the idea that everyone needs to pitch in and work together to make security better for everyone is archaic. Maybe Google’s style of “the only true way is the Google way” is what suits the security industry now. But what results can we expect from that approach?