יום ראשון, 12 ביוני 2011

Why Information Technology Security (referred henceforth as ITS) isn't a success story after so many rules, standards and regulations?

This post will be written in the English language as it will be used for a dual purpose:


1.As an answer to Mr. William Beer, Director of PwC London and Leader of Pwc's OneSecurity Practice, who was one of the speakers in the Tel-Aviv University conference on "Cyber warfare – international, political and technological challenges" that took place on June 9th. The title of his talk was: "Cyber - New rewards and risks to businesses and governments. Why a different approach is needed".

2.To be able to reach more audience than only the Hebrew readers of my posts.

I'll appreciate it very much to get readers comments on this post.

As a matter of fact, I believe the question has two answers.
The first is easy for me to write, as I'm quite sure about it.
For the second I have some speculations and I would like to read your remarks to my post, before I'll write mine.

Question: Why don't we have good ITS?

1.BECAUSE NO ONE REALLY WANTS IT. AMAZING. Don't you think?


This needs of course an explanation. So here it comes.
To achieve good ITS you have to invest money and time. These two elements are critical factors in a super fast growing need for more and more Information Technology, as this is the engine that drives modern society. No one argues that the correct starting point to integrate ITS should be the development phase of a product. Adding ITS to an IT product during that phase, and I mean what we professionals call "SECURITY by DESIGN" will achieve products with a much better ITS when they are deployed. BUT, you have to pay with MONEY and TIME. The product will be more expensive to develop and it will take more time to bring the product from the beginning of the development phase to selling it on the market. This means: BIG TROUBLE for ITS. The first magic phrase in the Information Technology world is "Time To Market". Only if a product developer MUST but really MUST add ITS he'll sacrifice "Time to Market" for "Better security". The same goes for the second magic phrase "Lower Costs" or its equivalent "Return On Investment". Consumers of Information Technology buy with the pocket. They're after cheaper products with better ROI. Adding ITS in the development phase makes the product more expensive for buying. (At that phase no one includes the costs of future security vulnerabilities/patch management etc.) As to ROI, this is a controversial issue for itself and I'm not going to handle it in this post.
What is the "really must" I mentioned before? Money. If the product maker will loose money because of not enough ITS in the product, it might make a difference for him. What might be "Not enough ITS"? Obviously, vulnerabilities discovered in the product when it is used by customers.
During the previous decade numerous of surveys and a lot of research was done and published around the subject that can be called: "How much will IT makers suffer for not having good ITS in their products"?
One of the important and leading works on the subject was a paper titled: "Impact of Software Vulnerability Announcements on the Market Value of Software Vendors – an Empirical Investigation" presented at the Fourth Workshop on the Economics of Information Security held on the campus of Kennedy School of Government Harvard University 2 - 3 June 2005.
Link to the paper: http://infosecon.net/workshop/pdf/telang_wattal.pdf

Link to a securityfocus article about the paper: Study: Flaw disclosure hurts software maker's stock http://www.securityfocus.com/news/11197

The study analyses the financial impact on the stock price value of SW makers following the announcement of a vulnerability in one of the company's product.
The bottom line could be summarized as follows:
Most of the announcements were followed by the SW maker's stock falling compared to NASDAQ market average. BUT, "…The researchers did show that, compared to the effect of other types of product related defects, the disclosure of software flaws seems to have the least impact…" and even more disturbing data comes ahead: "…The two researchers found that the 0.63 percent decrease fell below the estimated 2.1 percent drop in the stock price of companies that were victims of public security breaches, or the estimated 0.81 percent drop in the stock price of auto makers that recalled their vehicles."
To conclude the bad news for ITS in SW makers here is the response of Amit Jasuja, vice president of product management for database maker Oracle's security group cited in the aforementioned securityfocus article: "So even if there is a connection between public vulnerability disclosure and stock price, the penalty for having vulnerabilities may not be high enough to convince product managers to spend more time on security".
A year or so later comes the second blow, as a survey showed that the customers of the IT product makers favor too "Time to Market for IT products" over "Better security but later on the market".

To conclude: The market forces don't give good ITS a fare chance. NO ONE HAS ENOUGH INTEREST.


In this case, there is only one way left: outside intervention.
Who can do it?
Governments by enacting laws, other statutory institutions by passing regulations, standards institutions by creating new standards. Seems to be a perfect solution. We have in the last years a lot of laws, regulations, standards on the market. All about ITS. So why doesn't the situation improve significantly?

The answer, to my opinion is that most of all these effortsare aimed at the "end of the chain", the CUSTOMER of the Information Technology products and not aimed primarily at those that stand in the beginning of the chain, e.g. the HW and SW makers. Vulnerabilities in products are not a result of how the customer implements the SW. It is the SW itself that is the cause. But, to my best knowledge NO government has enacted a rule that puts a fine of lets say 1,000,000 $ for each vulnerability found in a piece of SW product.
Lots of rules exist to punish institutions that their Information Technology infrastructure has been breached whatever the cause is and confidential data stolen. Other rules fine for not implementing parts of legislation. Who are the only punished institutions?
The Information Technology CUSTOMERS. Only they.
Why is it so?
I'm waiting for your suggestions before writing the 2nd reason. Maybe you have an idea.

אין תגובות:

הוסף רשומת תגובה