The security problem is a people problem…surprise.

Well it’s looks like the new cyber czar is a noob in the eyes of the greater IT community all because of his “you don’t have to be a coder” comment.  First, why would one in the IT field expect someone in management to be able to configure a firewall on their own? j/k  Frankly, the cyber czar or any other management position doesn’t need a detailed IT background to succeed where the real problem exist – between the ears of everyone touching a keyboard, mouse, iPad, or smartphone.

Security is not a problem with information technology, vulnerabilities are.  Vulnerabilities are inherently created by the people who created the software.  They are exploited by other people.  Yet other people create the patch or find another way to mitigate the risk.  Still other people choose to apply or ignore the patch, or inadvertently mis-configure the technology creating more vulnerabilities.  See the common theme?

Fixing the vulnerabilities is actually the simple issue.  Security suffers from lack of interest – it’s not fun to build security into a fancy new application when you can focus on adding another feature.  Who’s got the time to setup their home firewall properly?  Why would a neighborhood convenience store pay more to have their point of sale system setup properly when they already have razor thin margins?  What will it take to get an industrial engineering firm interested in building secure equipment to control our critical infrastructure?  Our government and elected officials are showing some interest in improving security regulation, but how long will that last once the election year is over?  How much can they actually accomplish with no understanding of the problems or solutions? And who selects the consultants who will influence the decision makers in charge of the purse strings?  What are their motives – profit or the customer?

Take for example the latest Home Depot incident.  They were told by their own staff repeatedly about known vulnerabilities, many of whom quit after being ignored repeatedly. Home Depot hired a senior IT architect who had been fired and then left his previous company’s network broken by his sabotage.  They assumed monitoring systems would not have detected anomalous activity from the newly discovered BlackPOS malware.  The icing on the cake would be if the purported “cyber insurance” policy exists according to some reports, apparently leading the management at Home Depot to think “it’s not really that bad for us.”  What about all of your customers?  Do you think that policy is going to cover blatant insecurity?  What about the inevitable class-action lawsuit?

Home Depot’s problem was a people problem.  It wasn’t just the typical “security does nothing but hurt the bottom line” mentality seen at many businesses.  It was an egregious lack of oversight and enforcement by multiple layers of the business, as well as the card providers allowing businesses to self-certify compliance.  All it would have taken is one person at the C-level to simply think “what if?”  What if I get hacked?  What if one of my employees go off the rails?  What if my vendor’s leave a wide-open hole into my payment processing system?

Guns don’t kill people, people do.  Computers do not make insecurity, people do.  One of two possible solutions exist. Either we as security professionals will convince all the right people in all of the right places why security matters now and how to do it right; or the economy will putter along unfettered by the “shackles” of a security-driven mindset until someone finally causes a cyber-9/11 and brings us to our knees in real life.  The options for either solution are endless, but one key decisions must be made.  How will we solve the people problem?