Stop Blaming Users for Security Woes

I felt like the dumbest kid in the class.  And that’s a good thing. 

I had the opportunity this week to help out the NPR station WAMU in Washington, D.C., by serving on their Community Advisory panel as an IT professional talking about Cyber Security.  The panel was quite distinguished. The Director of the SANS Institute, a former Washington Post columnist now writing exclusively on security, the director of information security at American University, and a prosecutor for Montgomery County, Md., all served on the panel.  Oh, and me.

The topics and discussion were wide and varied. We talked about everything from backups and virus scanning to global terrorist networks using information in the war on terror. I hadn’t thought about the fact that that air, land and sea had been joined by “online” as a battlefront that wars in the 21st century and beyond will be fought on.

One of the biggest things that I took away from the conversation was a focus on how we should stop blaming users for security problems, and instead push security management back into the hardware and software we develop and deploy, as well as work with the vendors to bake it more completely into the offering. It was also offered as a suggestion that it be pushed into the network and onto the wire, where ISPs and connectivity providers could manage security more centrally for their customers.

Management concerns like this are the reason that service models like managed services have come to be successful, and why cloud computing will also become more and more successful. Customers don’t want to have to become security experts to manage their environments. They want this responsibility pushed back, and their devices made easier and more reliable.     

There is pent-up demand for more secure and reliable systems. One of the theories that was offered in the discussion was that it will take significant changes in buying patterns for vendors to make these changes, and that only government or education, sectors that have the buying power to demand these changes, will be effective.

I’m not so convinced these are the only two markets that can change this. While it’s challenging, I think that the commercial market can make this happen. As we move more towards a cloud computing model, vendors that deliver solutions that are secure by design, “user proof” and effective will be in high demand. These will the game changers, and the vendors that truly will take us forward to this next generation.    Customers will buy this up in record numbers – and the vendor who offers it first will win, and win big.

We often blame “users” for security woes. I will agree with my esteemed colleagues that we should focus more on an approach that provides users with a safe computing environment by design, and the vendors that really deliver on this promise will be the successful ones in the new frontier of cloud based computing. I’m already starting to look for those “simplest” solutions, and those that achieve here will dominate the market – and customer mindshare.