Why Don't Companies Buy More Secure Software?

Balancing security and functionality is nothing new. But is there a way to fairly allocate the security costs to the users who benefit from the functionality? We ask the LinuxWorld OpenSolutions Summit keynote speaker Bruce Schneier.

By Don Marti
LinuxWorld
February 2, 2007

LinuxWorld: Welcome to the Linux World Podcast. Hi, I'm Don Marti, and I'm here with Bruce Schneier from Counterpane Internet Security. Welcome, Bruce.

Bruce Schneier: Thanks for having me.

LinuxWorld: Why don't companies buy more secure software, or at least why don't they buy less insecure software?

Schneier: You know those of us in the security industry have been wringing our hands over that question for years, for decades. Why don't they do it? There are a couple of reasons. The first is -- it's sometimes hard to tell what a secure product is. I can hold up two products; they use the same buzzwords. They have the same protocol standards. What is secure, and what isn't? And you don't know. And these might be security products. These might be networking products or office products. It's very hard to tell what a secure product is and what an insecure product is. That's reason one

The second reason, companies actually don't want to be secure, that's wrong. They want to be secure, but it's more important to be able to do things. So, installing a firewall, which would make you a lot more secure, a company is going to configure it pretty much open because it allows them to do peer-to-peer file sharing or use this application or do that or check their mail from afar -- all those things they want to do that go against security. So, when security goes against functionality, it often loses, especially at the high level. You can tell a lowly employee to be secure, but you're not going to tell the CEO. That's the second reason.

The third reason is that a lot of the insecurities we see don't affect the company at the boardroom level. A worm and a virus attack, which might make all the tech staff scramble and work without sleep for 15 hours, the CEO doesn't see. He doesn't care. As far as he's concerned that worked out great. Why bother spending? So, you have a whole lot of factors in play. It's not that companies don't want to be secure; it's that they either don't care or don't know how or don't understand they're not.

LinuxWorld: So, if you've got, say a marketing department that asks for some big Web application to be installed, and then it turns out there's a security issue with that, whoever is the “security person” inside the company ends up cleaning up that mess.

Schneier: And the security people know that. I mean if you say no too often, the marketing department is going to go around you. If you say no wireless, someone is going to stick an access point in. If you say no BlackBerry, someone is going to forward their mail to Google, and then get it from there. As a security officer, you're in a very tough position of basically having to allow what the employees want to do and doing the best you can. Now, that's not necessarily bad. If you think about it, security is there to make the company safe while it's in business. If the company can't do the things it wants to do, then the security is irrelevant. So, I'll give you an easy example. And you go to Amazon.com, and you buy books, you can use a secure server. You can use SSL. You could also choose not to. And if you click on, "don't use a secure server," you know what Amazon does? They sell you the book anyway. They realize that even though it's less secure, it is still good business for them to sell the books. There's an example of the business process taking precedence over security. I mean there are some things you should never do, but in general security doesn't win when it goes against what the company wants to do as a company.

LinuxWorld: So, is there any way to allocate security costs onto the departments that are asking for and receiving the benefits of possibly insecure things?

Schneier: That's the trick. And I think you have to do that. I mean just like many companies pass IT on to the different departments and have interdepartmental accounting, they could also pass security. If the marketing department decides that it wants to have a new application that punches a new hole into the firewall, and maybe it's good, and maybe it isn't, you could say to the department, 'This is what it is going to cost you, and the cost will be higher because of increased insecurity.' That can work pretty well for some things. For some things it won't. If you're worried about the corporation as a brand, if you're worried about a network breach that will put the company on the front page of the newspaper, you really can't allocate that to a department because it's a very, very great cost, and it affects the entire company. You have one department putting the entire company in jeopardy. So, it's harder to do that kind of economic thinking. But you're on the right track. We need to think about it economically.

LinuxWorld: Does security always have to be a cost center, or is there some top line benefit that a company could get from having a reputation for better security?

Schneier: Security is always a cost center, but it allows for benefits. So, for example, the telephones in a company are always a cost center. Yet without the telephones, you couldn't make sales. You couldn't make profits. Security will be a cost center -- again, let's take Amazon as an example -- their Web security is a cost center, but without it, they can't sell books. They can't make money. So, security does cost, but security facilitates better things. If you have good security, you can do things that maybe your competitors can't. It is always looked myopically -- it's a cost. But you look at it in the broader context, it's a benefit that allows the company to do things it couldn't do otherwise.

LinuxWorld: In your upcoming talk at Linux World Open Solutions Summit on Feb. 14, you're going to be talking about the economics of Internet security, and I noticed in the announcement that you'd be looking at it from the attackers' point of view, too. What's an attacker doing to maximize return on investment, and should security people be paying special attention to those types of attacks?

Schneier: I think they should. If you think about it, an attacker goes through an economic decision just like a defender. An attacker is spending time, an attacker is spending time, money, risk -- the risk of capture -- for some attackers, death, if you're thinking of a terrorist. And this attacker wants to maximize his return on investment. And that might be money in the case of a criminal. It might be deaths in the case of a terrorist. Depending on whether it's organized crime or a loan criminal, they'll have different resources they can expend.

You have to look at the attacker as a capitalist; as someone who is trying to get the best return on his investment. And this isn't to excuse him or to figure out why it's OK, but if you don't understand your attackers' motivations, you'll never defend yourself. For example, the kind of defenses we might put in place for a fraudster, a criminal trying to get money, is very different than the kinds of defenses you put in place against a hacker who wants to deface your Web site and look cool. Those attackers have different goals. They have different resources. They have different levels of risk they're willing to tolerate, and they're not the same, and the defenses won't be the same.

LinuxWorld: Does it make sense to have somebody on your security team or within your company play the role of an attacker in a what-if scenario?

Schneier: You certainly have to think like an attacker. And this is true for policemen, for computer security, for counter terrorists. You always have to try to put yourself in the mindset of the attacker; otherwise, you'll never see how your defenses look from that point of view, and that's very important. In the military, there are all sorts of war games where people playing the attacker will pit themselves against people playing the defender. In computer security, we do vulnerability testing and penetration testing, where you hire people to act like the attacker and break in. In some areas, in home burglaries, that doesn't make that much sense because attackers are pretty well known and well understood. They don't do new things. So, it depends. But it's certainly a good idea to have someone thinking like an attacker. And whether they have to actually play the role for real, really depends on circumstance.

LinuxWorld: How does the regulatory environment and the security people being told, "We have to put this on for compliance," or "Sarbanes-Oxley is going to get us if we don't do this," really push companies toward better security?

Schneier: It's a mixed bag. Here's the basic idea behind regulation. We as a society don't believe that companies are investing enough in security -- too many viruses, too much personal information stolen. And we can't convince them to do it, so we pass a regulation. We say to the company, you're not going to do this because you want to, but you'll do it to avoid being fined, going to jail, whatever the penalty is. So the regulation is a stick that we gave corporate security officers to beat their bosses over the head with and say, 'give me more money for security. Look, you have to.'

Now, that's the way it works in theory. In practice, the devil is in the details -- it depends on the regulation. We find that regulations actually do free up more money for security. Corporate security officers are able to do more things because there's more money, because there's more focus, because of the regulation. On the other hand, they have to spend a lot of money on complying with the regulation itself -- the paperwork, the ancillary processes, the things that don't improve security. So, regulation improved security, but it's lossy -- a lot of money is wasted in the process. Whether the current regulation regime is good or bad, I think the jury is still out. I'm somewhat satisfied, but I wish it were better.

LinuxWorld: Should we be encrypting all our laptops?

Schneier: I certainly do. I travel abroad a lot. I leave a laptop in my hotel room a lot, and I know that there are lots of instances of governments, of corporations, grabbing files. I don't want my laptop stolen. Now, I don't encrypt everything. I have an encrypted virtual drive. I have encrypted zip files. I work it out; so I'm still able to work. But because I travel a lot, I do. I think a lot of other people should, too. The U.S. Government has recently announced that they are going to let a huge contract for encrypted laptops in the government -- I think that's really great because now they're going to use their buying power to increase the quality of these products and that will help us all.

Laptops are particularly vulnerable. If you think about it, we have a lot of information on them, and they're easy to steal. But you start going along those lines, and you realize your cell phone is incredibly valuable. I have a Treo. And my Treo has my contact list. It has my calendar. It has several key documents. And this is something that is very easy to lose. And encrypting that is important. Then you look at memory sticks or little compact flashes. We're putting more information in smaller and easier to lose devices. And encryption is a way to protect us if they get lost or stolen.

LinuxWorld: On your blog, you said, "I would very much like to be a Linux user, but my tech support options are all Windows." So, what kind of tech support contract would you need in order to be able to switch?

Schneier: It's less of tech support contract; it's more what my company does. I'm not going to be different than the rest of my company just because that's hard to do, and the corporate structure is Windows and it's Outlook. I've managed to fight Outlook. I've used Eudora. I've used the Palm calendar. I've used Opera as a browser. But I still have the underlying Windows operating system. If there was corporate tech support for Linux I would switch. But it's really easier for me in my life to do the thing that my tech support department can support easily and cleanly. I know this is sort of the age old question at a Linux conference -- why don't you? And I think morally I feel bad about it. I should. But it's just easier for me in my life right now to use the thing that my peers are using.

LinuxWorld: I had to make the same decision when I came to Network World. Everyone else had a desktop machine running Windows, but for me, for times when tech support is unavailable, I don't trust myself to competently administer a Windows box. So, I went ahead and blew away the machine and put Linux on it.

Schneier: It makes sense. And if you do your own tech support that's great. And if I took the time to become enough of an expert to fly solo, I would. But it's a question of where you put your priorities. And for me that feels like a lot of work. And I have other things to do. So I take the easy way out.

LinuxWorld: It would be a lot of work for me to switch the other way. So, you're going to be speaking at Linux World Open Solutions Summit on Feb. 14 in New York City. And I'm looking forward to seeing you there.

Schneier: It will be a fun talk. It will be a fun time. I hope everyone comes to see me.

LinuxWorld: Thanks for being on the Podcast, Bruce.

Schneier: Thanks for having me.

earlier story: Schneier: In Touch with Security's Sensitive Side
later story: RSA '07: Bruce Schneier Casts Light on Psychology of Security
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..