Essays: 2002 Archives
Network security is not a technological problem; it's a business problem. The only way to address it is to focus on business motivations. To improve the security of their products, companies - both vendors and users - must care; for companies to care, the problem must affect stock price. The way to make this happen is to start enforcing liabilities.
Microsoft Chairman Bill Gates should be given credit for making security and privacy a top priority for his legions of engineers, but we'll have to wait to see if his call represents a real change or just another marketing maneuver.
Microsoft has made so many empty claims about its security processes--and the security of its processes--that when I hear another one, I can't help believing it's more of the same flim-flam.
Anyone remember last November when Microsoft's Jim Allchin, group vice president, said in a published interview that all buffer overflows were eliminated in Windows XP? Or that the new operating system installed in a minimalist way, with features turned off by default?
Deciding to outsource network security is difficult. The stakes are high, so it's no wonder that paralysis is a common reaction when contemplating whether to outsource or not:
- The promised benefits of outsourced security are so attractive. The potential to significantly increase network security without hiring half a dozen people or spending a fortune is impossible to ignore.
- The potential risks of outsourcing are considerable. Stories of managed security companies going out of business, and bad experiences with outsourcing other areas of IT, show that selecting the wrong outsourcer can be a costly mistake.
If deciding whether to outsource security is difficult, deciding what to outsource and to whom seems impossible.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.