Security’s Foe: Complexity (Part 1)

Newflash:           Complexity does not mean or provide security.

Although there probably is a company out there that hasn’t purchased a firewall, isn’t running anti-virus software, and has no plans to implement intrusion prevention technology, there are plenty that have spent the equivalent of Ughanda’s GDP for the last 5 years on security technology. After 10 years of security work and countless conversations with peers, I have concluded all this spending is not solving the fundamental problem security set out to address: create safe and secure environments.

Why not?

The answer lies in why many business don’t have many of the generally accepted mainstream security technologies deployed. Complexity.

The complexity of security solutions and the perceived inability of security to meet dynamic business needs because of that complexity are some of the key underminers of security.

It almost begins to sound like a popular comedian’s tagline:

  • If your security solution or product requires a triple PhD from MIT to operate, you might have a complexity problem.
  • If your security solution or product has not been updated since men walked on the moon, you might have a complexity problem.
  • If a 5lb block of swiss cheese has fewer holes in it than your security solution or product, you might have a complexity problem.

Sure there are all manner of security schemes on the market from network-based defenses and host-based defenses to security policy frameworks and security intelligence services to meet an organization’s security needs, but technology has only brought us to the place where we now need a room full of security experts pouring over event data or some artificial intelligence, akin to that of Skynet from the Terminator franchise, in order to determine whether our security is working or if the bad guys have just dumped the contents of the customer billing information database to a botnet-based auction system via a partner’s VPN connection using valid credentials they obtained through an infected email to an outsourced developer.

Fired up? Come back for part 2…


Posted on October 4, 2007, in Security / Risk and tagged , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: