You can't secure what you don't acknowledge.SM

Wednesday, February 19, 2014

Step up or step aside, somebody needs to fix your security woes

I just got off of phone call with some friends/colleagues where we were discussing the latest security trends. After talking it occurred to me that we're basically going backwards in time with information security. It seems with the Target breach, stupid passwords people are still using in 2014, and even today's new SANS-Norse healthcare security report, it just keeps piling up as if nothing works.

But it can work - if people would get out of their own way.

Looking at it from a psychological perspective (a great way to view security trends/challenges), it's really about the choices people are making - or not making - about security:
You've heard the adage, "if you lie about something long enough and consistently enough, pretty soon people will start believing the lies as the truth." So many people are thinking that IT and security problems are just getting too hard to handle...that the bad guys are just getting "badder". The government can fix things with whatever "cybersecurity" nonsense they're going to shove down our throats. To the cloud so we can wash our hands of all this.

Too many people are acting as if everything is out of their control, like low-information voters at the ballot box.

Like I talked about in this new guest blog post for Rapid7, don't let history repeat itself so that you get burned. Step up or step aside - somebody needs to fix this stuff.