Are We Busy Doing Nothing?

You must read the hair-raising article by Greg Shipley in the October 11, 2010 issue of InformationWeek titled “Epic Fail.” The article is featured on the cover of the magazine with the words “The Wrong Protection: We’ve spent billions on security products, so why are we so ill-prepared for the attacks raining down on us?” I was reminded of the song that begins:

“We’re busy doing nothing, working all day through, we’re trying to find lots of things not to do. We’re busy going nowhere, isn’t it such a crime? we’d like to be unhappy but we never do have the time.”

I learned that it was first sung by Bing Crosby et al in the 1949 movie “A Connecticut Yankee in King Arthur’s Court.” You can see the clip at  Don’t you agree that Bing and his buddies bear some small resemblance to some of our better known security gurus? And what do you think about the expressions on the faces of the two passers-by? Isn’t that look of bewilderment a familiar one when we try to explain what we actually do? Ah, well.

Now back to Shipley’s article. He is essentially saying that attackers are outrunning defenders and the promise of security products to meet the challenges is never realized. He’s not saying not to do anything about security. He says that we should continue to implement much of what we do install, but recognize that the tools are not fixing the problems.

Now Shipley isn’t the first to voice this opinion. I recall that, on getting his new job at DARPA, Peiter Zatko (the infamous “Mudge”) said that not much had changed in cyber security during the past couple of decades. And yours truly was quoted in The Wall Street Journal of January 19, 2010 as saying that little progress had been made in the past 10 years. The backlash from my colleagues was such that I posted an explanation of my statement on BlogInfoSec in my February 8, 2010 column with the title “Please Let Me Explain.”

Post a Comment

Your email is never published nor shared. Required fields are marked *