A lot of people are surprised when I tell them that computer security isn’t really a priority in most companies, or for our society in general. I captured this in my piece Why Software Remains Insecure, which basically comes down to security being precisely as good as it needs to be.
Or 100 years.
Before you squint at that, ask yourself how many homes are broken into every year. How many front doors are kicked in? How many locks are picked? A lot. So ask yourself why home locks haven’t improved much in the last 50 years.
That question rhymes with all the internal security people screaming at full volume about how their companies aren’t doing the basics. They’re not tracking assets. They’re not logging. They’re not hiring competent leaders. They’re not taking security seriously at the C-level.
Both situations have the same answer: the amount of damage caused—so far—has not been enough to take serious action.
Security people wonder why nobody listens, and this is the unpleasant answer.
In other words, our current level of security is acceptable to us. We know this with certainty because we’re accepting it. Hence, it’s acceptable.
The current ransomware plague might be serious enough.
I don’t think this will always be the case. I think we’ll see a number of cybersecurity events that will change our behavior, and I wanted to answer the question of how we’d know this had happened.
Here are four metrics we’ll see rising if and when we start taking cybersecurity seriously:
- Number and Amount of Fines Issued to Companies For Producing Insecure Software: Imagine if Microsoft or Oracle started getting serious fines when their software was part of a vulnerability chain that lead to losses. This is the equivalent of old Roman practice of having bridge builders sleep under the bridges they built for a period of time. In short, those who built things had Skin in the Game, which Nassim Taleb talks about extensively in his book of the same name.
- Number of Employees Fired for Ignoring Security Rules: We’ve all seen security awareness programs in our copmanies. There are videos. There are classes. There are certifications. Lots of green checkmarks. Who has seen people actually getting fired over this? Like actually terminated. Very few, if any. The punishment tends to be having to sit through more videos, which is admittedly pretty horrible. But until people start actually losing their jobs, the training doesn’t have a second hand to clap with.
- Number of Company Executives Serving Jail Time for Security Breaches: You want to see new life in a security program? Start sending some millionaires to jail when their companies cause damage. Keep in mind, I’m not saying we should do this right now. The industry is not mature enough to place blame on a bunch of hapless executives who barely understand the risks. The point is that once we do have that maturity those executives will no longer be able to hide behind this ignorance. They will be held responsible, and that will result in more change than you can imagine.
You can’t start counting Porsches in your driveway to get one to appear.
Let me be very clear: I’m not saying we need to put these metrics in place to make ourselves more secure. What I’m saying is that if we ever do start taking it seriously, these numbers will start incrementing naturally.
Amd the more ridiculous these events sound to you, the further away we are from security being a priority.
So ask yourself: how close are we to seeing these three things happening?
Yeah. Pretty far.