Information security is not a technology problem. It is an economic problem and in order to improve information security we will have to correct the economic problem first. Let’s do this and all others will follow.
The lack of security in computer software products costs us billions. We pay tons of money in information theft, financial theft etc.
We pay lots of money when productivity is lost, when networks stop working and when dozens of other major or minor problems of security arise in our work and home environments.
We have also major financial losses when we are forced to pay and buy security products and services to reduce all those information security issues. We pay for the security year after year.
The problem is that all the money we spend does not solve the problem. We pay, but still end up with security holes.
The problem is BAD and INSECURE SOFTWARE. Due to bad software coding practices, poor software embedded features, inadequate software testing and security weaknesses in software programming cause all the problems with information security.
The money we spend on security are intended to address the consequences of unsafe software.
That is the actual problem. We don’t pay to actually improve the security of the underlying software. We pay to temporarily cope with the problem and not to correct it.
The only way to correct the problem of security is to convince the vendors to correct their software by incorporating proper secure software coding techniques.
The only way to convince the software vendors to develop secure software is to force them to take up the costs and responsibility of security breaches and holes in their product.
There are many parties involved in a typical software attack. There is the company that originally sold the software with the security weakness, the person who created the tool of attack, the attacker himself that used the tool to break into the network, the network operator, who had been assigned to protect the network etc. 100 percent of the responsibility of an attack should not be borne by the vendor of the software, but it should be shared among all the parties including the attacker or the network operator.
But these days, 100% of the cost goes solely to the owner of the network and this should stop happening.
Liability changes everything. At present, there is no reason for a software company not to offer one feature after another after another.
Liability in security however will force software companies to better reflect a change of a software characteristic or feature.
Liability forces companies to protect the data on which they are responsible. Liability means that those who are able to correct the problem, are also responsible for the problem. Software vendors should therefore have liability on the security of their software product.
The information security is not a technological problem. It is an economic problem and to improve information technology we will have to correct the economic problem first. Let’s do this and all others will follow.
I think that the problem is when administrators rely on secuirty of only one application or one specific protection mechanism. When the whole architecture wasn’t designed to be secure then the flaw in one point can compromise the whole environment.