Thanks, Emily! My $0.02 US (unadjusted) on security.

A friend of mine just sent me a link and asked my opinion. Always a dangerous thing to do… Here you go, Chris!

I appreciate that she’s writing about MSFT and promoting what our execs are saying (have been saying for years =), but I think that Emily’s analysis is fine, if uninspired. Two factor auth has been around for a while for Microsoft Accounts, Facebook, etc, but most people don’t want to be bothered with it. Even that could be defeated by an enterprising criminal with a little effort, though.

We’ve had locks and physical security for millennia, and criminals are still defeating them in the real world. That’s what insurance is for, right?

This topic was all the buzz two weeks ago, and it will come around in the 24-hour news cycle again. In essence, you get the security you are willing to pay for in several ways:

1. The technology you deploy.
2. The training you provide to your staff.
3. The culture you foster at your company.

In my observation, the culture of a company has more to do with its likelihood of being compromised than the amount of money it throws at the problem. The problem is almost always people and process, not technology. Except in the rarest of cases (Stuxnet was such an outlier that it’s tough to believe all the hype about it was real), the biggest “hacks” aren’t done using technical exploits alone; they’re inside jobs or social engineering. Biometrics and other fancy security theater can’t solve those two problems: criminals with the keys to the kingdom AND stupid users.

If you think of cybersecurity the same way that you do about physical security, you’ll usually be fine. The problem is that most people who make buying (or deployment) decisions don’t understand technology well enough for that analogy to be valid. They take shortcuts in cyberspace for time or cost that they would never tolerate analogues of in the real world.

Take Target, for example, if a store alarm system were going off all the time, they wouldn’t ignore the warning siren: they’d hire someone to fix it so that it only went off when a real alarm was triggered and then respond with armed guards when it did. If the company that installed the alarm system couldn’t configure it so that it only went off when there was a real intrusion, they’d fire them, rip out the alarm system, and install a new one. That’s not what happened. Instead they ignored the alarm until their neighbors called and the police showed up to tell them that burglars were in the house… Doh.

I have customers who would love to pay someone millions of dollars for a complicated solution to a simple problem just to have a “guarantee” that they’ll be safe. There are no guarantees. If you have valuable stuff, people will try to steal it: in this world or the digital one. Make your security simple and strong and resistant to error and failure. This is a comic, but it’s absolute, mathematical fact. (If Bruce Schneier and Randall Munroe ever get married and wanted to adopt adult children, I want to be first in line! Just sayin’.)

Keep it simple and human-centric people, otherwise the Bad Guys® will continue to defeat your security.