Why don't companies buy more secure software?

Bruce Schneider on balancing security and functionality

Balancing security and functionality is nothing new. But is there a way to fairly allocate the security costs to the users who benefit from the functionality? We ask the LinuxWorld OpenSolutions Summit keynote speaker Bruce Schneier.

Why don't companies buy more secure software, or at least why don't they buy less insecure software?

You know those of us in the security industry have been wringing our hands over that question for years, for decades. Why don't they do it? There are a couple of reasons. The first is -- it's sometimes hard to tell what a secure product is. I can hold up two products; they use the same buzzwords. They have the same protocol standards. What is secure, and what isn't? And you don't know. And these might be security products. These might be networking products or office products. It's very hard to tell what a secure product is and what an insecure product is. That's reason one

The second reason, companies actually don't want to be secure, that's wrong. They want to be secure, but it's more important to be able to do things. So, installing a firewall, which would make you a lot more secure, a company is going to configure it pretty much open because it allows them to do peer-to-peer file sharing or use this application or do that or check their mail from afar -- all those things they want to do that go against security. So, when security goes against functionality, it often loses, especially at the high level. You can tell a lowly employee to be secure, but you're not going to tell the CEO. That's the second reason.

The third reason is that a lot of the insecurities we see don't affect the company at the boardroom level. A worm and a virus attack, which might make all the tech staff scramble and work without sleep for 15 hours, the CEO doesn't see. He doesn't care. As far as he's concerned that worked out great. Why bother spending? So, you have a whole lot of factors in play. It's not that companies don't want to be secure; it's that they either don't care or don't know how or don't understand they're not.

So, if you've got, say a marketing department that asks for some big Web application to be installed, and then it turns out there's a security issue with that, whoever is the "security person" inside the company ends up cleaning up that mess.

And the security people know that. I mean if you say no too often, the marketing department is going to go around you. If you say no wireless, someone is going to stick an access point in. If you say no BlackBerry, someone is going to forward their mail to Google, and then get it from there. As a security officer, you're in a very tough position of basically having to allow what the employees want to do and doing the best you can. Now, that's not necessarily bad. If you think about it, security is there to make the company safe while it's in business. If the company can't do the things it wants to do, then the security is irrelevant. So, I'll give you an easy example. And you go to Amazon.com, and you buy books, you can use a secure server. You can use SSL. You could also choose not to. And if you click on, "don't use a secure server," you know what Amazon does? They sell you the book anyway. They realize that even though it's less secure, it is still good business for them to sell the books. There's an example of the business process taking precedence over security. I mean there are some things you should never do, but in general security doesn't win when it goes against what the company wants to do as a company.

So, is there any way to allocate security costs onto the departments that are asking for and receiving the benefits of possibly insecure things?

That's the trick. And I think you have to do that. I mean just like many companies pass IT on to the different departments and have interdepartmental accounting, they could also pass security. If the marketing department decides that it wants to have a new application that punches a new hole into the firewall, and maybe it's good, and maybe it isn't, you could say to the department, 'This is what it is going to cost you, and the cost will be higher because of increased insecurity.' That can work pretty well for some things. For some things it won't. If you're worried about the corporation as a brand, if you're worried about a network breach that will put the company on the front page of the newspaper, you really can't allocate that to a department because it's a very, very great cost, and it affects the entire company. You have one department putting the entire company in jeopardy. So, it's harder to do that kind of economic thinking. But you're on the right track. We need to think about it economically.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Don Marti

LinuxWorld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?