I’ve been involved in information and computer security, in some fashion or variation, for most of my adult life. The strictly “computer” or “cyber” security experiences I’ve had, as it is commonly understood today, covers about 15+ years. If you had to bin me I’m a “wide” not “deep” kind of guy. I’ve been pretty successful and dog gone-it, people like me.
However . . .
For the last few years I’ve been harboring this sneaking suspicion – manifesting itself in an increasingly cynical disposition – that all was not well with our world. I, and everyone I knew, was working as hard as ever but we didn’t seem to be making any kind of difference. You can’t be in this business for a decade or more and not wonder why you keep hearing the same phrases over and over again; hearing about massive breaches caused by the same mistakes over and over again; reading about yet-another epic security fail on the part of some official or executive and wonder: “if this computer security thing is so important, how come we’re no better off today than we were 10, 20, 30 years ago?”
I’m not saying computer security isn’t important; I’m saying we do a disproportionate amount of naval gazing in this business and do not have a big enough impact on our fellow citizens. If we were doing our jobs then computer security would fall into that class of “things people perpetually care about” and addressed accordingly, not something that is addressed rarely and in an ad hoc fashion, like poison ivy or head lice or ear hair.
Some of my colleagues and fellow travelers are reading this and mumbling about the CNCI and record spending on security products and services, massive investments by government, corporations and investors alike and wondering if I’m drunk or high (or both). Well, how about we try to dig up some data to see if I might be on to something?
This is the information age, so it should be fairly easy to search through all that information to find out how popular – or more accurately “how often” – people are exposed to the issue of computer security. Now I don’t have a Nexis account, but I can use some poor-man’s alternatives, like Google Trends search (news headlines from 2004 to the present) and Google Ngram Viewer (books scanned by Google that cover the period of 1800-2008).
If we search Ngrams for the term “computer security” we get the following result (click to enlarge):
Not bad. But let’s see what happens when we add a term that falls into the bin of “things people perpetually care about.” Let’s choose “health care” to start:
Um, OK, how about “Iraq” and “Afghanistan” because, you know, those have been popular topics last decade+:
OK, so life – and its quality and duration – are big subjects; places where life is cheap not quite as much. Computer security, however, is barely on the radar. But is war a fair comparison issue? I mean, when there is a war on its all anyone talks about. What about looking at an issue of perpetual interest, like taxes?
OK, so, forget about books. There are a lot less computer security books than there are books on the military or taxes or health care. Computer security is a current issue, so what about media coverage? That’s a better indicator of how important this issue is today, not what people wrote about twenty years ago when almost no one had a computer and there was no such thing as the Internet, right? OK, sure, let’s look at “computer security” in the headlines:
Wait, what?! Headlines mentioning computer security have been declining over the last eight years? OK, forget “computer” security, how about “cyber” security, because, you know, “cyber” is the hawtness now:
Oh my. Not what I thought it would be . . . wait, what about “cybersecurity” as all one word?
OK, OK, that’s more like it, but still . . . if conventional wisdom is to be listened to; shouldn’t headlines be steadily trending upwards to the right, not these wild pendulum swings?
Yes. Yes it should.
What about those words you used before? What about comparing “cybersecurity” to taxes?
Hmm, looks like headlines spike during tax season, and then drop off (which makes sense), though the issue writ large is pretty consistently covered in the media over time. What about compared to health care?
OK, not helpful. What if we compare some frivolous, niche topics that couldn’t possibly receive more media coverage than “a clear, present and growing danger to national security.” Let’s pick “Lindsay Lohan (red), Led Zeppelin (gold) and boobs (green):
Now, obviously this is not a “scientific” study. I’m not a survey-data (big or otherwise) statistic-mathy guy, so I’m sure there are flaws that professionals who do this sort of thing for a living would love to pick at, but some reasonable conclusions I think we are able to draw from this little experiment:
- No matter how much we spend (CNCI, etc.), no matter how massive the breach, no matter how widespread the damage: cyber security it not one of the country’s most pressing issues if media and literature coverage are any indicators.
- If literature or media coverage over time is any indication, nothing we have done to date in the security industry is doing anything to increase public concern about computer security.
- Until computer security impacts as many lives as deeply as issues like taxes, life or death – or ladies jiggly bits – it will always be the fringiest of the fringe issues in the minds of the public. It is, in fact, less than trivial.
Arguing about the folly of manufacturer back doors in SCADA systems, stupid coder mistakes, the efficacy of anti-virus, what APT is or any of the myriad topics security people love to discuss is nothing but a cyber security circle jerk. We’re talking to ourselves, not the people we purport to want to help.
“But Mike, we’re very successful at computer security!”
Really? Then why have you been selling the same thing for ten years? Are there a finite number of computer security problems? No? Then how come you haven’t made your millions solving ONE OF THEM and used some of that money to start up something new to solve problem number 9,999,999,999,999? I’m not saying we’re greedy or stupid, I’m saying no one has solved anything, but we blame others for “not getting it.”
I understand: you took someone else’s money, and they had expectations. You met those expectations and now you have shareholders, and they have expectations. Being so successful you put yourself out of business isn’t a popular exit strategy. At which point you ought to be honest with everyone and admit that you’re simply in business, not the security business, and point out that you’re not going to stop doing what you’re doing no matter how ineffective it is.
However, if anything herein resonates with you, then do your peers, your industry, and your fellow citizens a favor:
Write something. I’m no English major, nor am I Shakespeare, but I’ve been known to reach national and international audiences on occasion. Insight and passion about an issue are all you need: they have editors (or your Barista, who was an English major) for everything else. Make it as relevant and accessible to as many people as possible: you’re writing for mom, not your boys in the hacker space.
Speaking of your mom . . . don’t make fun of her or roll your eyes when she asks you to fix her computer. While you’re upgrading her from XP and IE 5, talk to her in terms she’ll understand why computer security is important. Do this and two things will happen A) she will make you a pie, and B) at her next coffee klatch with the neighborhood haüs fraüs she’ll tell THEM why computer security is important. They will tell their friends, and so on, and so on . . . Look at that dude; you just lit a spark that helped changed the world view of about 15 million people. You know what 15 million people are called: A constituency.
Advance your cause by viewing the world though other people’s glasses. Security is only a be-all, end-all in the land of unicorns and pixie dust; in the real world people are motivated to get things done. Engage with people who do other things for a living and appreciate why they resist your genius plan to eliminate the problems caused by ‘1337 h@x0r$. The people in Finance, Sales, or Manufacturing are not your enemy, they are just incentivized differently. No one is going to willingly surrender their reward to improve security: you need to come up with an approach that they will want to follow (or at least won’t resist so much) so that helping you is just another part of doing their job.
Computer security is hard. Forget the existential factor – or lack thereof – its technically complex; its political; its economic; its social. It is a nut that has yet to be cracked despite all the work that has been put in to date. What we’ve been doing as an industry has been great for the industry, but it has had no substantial effect on those who need our support and protection. If you’re OK with that, then drive on; if you’re not: it’s time to do something different.
 To be fair and up front: Google hasn’t scanned every book ever, much less every book published between 1800 and 2008, but they have scanned a lot of them and in multiple languages too. For this particular effort, I pulled from the “English” corpus for the years 1980-2008.
 Just so you know, it doesn’t help if you replace “computer” with “cyber” as is so often done these days, the results are still dismal.
 OK, she “may” make you a pie.
 That is to say: the people politicians listen to when they’re trying to come up with better laws.
 And I’m not talking about recent events; you can find research and studies and papers discussing computer security problems going back to the 60s.