Monday, August 17, 2009

Red Pill... or Blue Pill... Pick One

Well, thank $deity August is coming to a close... hopefully the number of hacking incidents finally goes down now that school is kicking back into session.

Seriously though, this has been a tough couple of months hasn't it? I've lost track of the number of times a bank, retail store, or school has been victimized by some hacker for personal information - and don't even get me started on the whole Twitter/Facebook angle!

I bet by now you're curious why there is a potato chips bag scanned and pasted here for your viewing pleasure... well I'll tell you. This bag caught my attention when I was sitting eating lunch a little while ago - and I've kept it here on my desk to remind me how much of a failure most every "security campaign" is. Look at the chip bag... what's the first thing that catches your eye? The big "LIGHT" logo in the middle right? It's no wonder this particular type of chip was the one that was almost empty on the rack at the local sandwich shop... it practically screams I'm more healthy, eat me!

How the hell does this relate to info security? How does it not?! Think about it. ... time's up. The reason many of our security campaigns to save people from themselves (i.e. stop clicking on stupid links) fail is because people just don't pay attention. People don't pay attention because we don't get our message across like the Lays advertising people! We don't grab the user's attention and make them compulsively do what we want them to. Personally, I think the Lays advertising people are brilliant... maybe someone should hire them to do an InfoSecurity campaign?

Hear me out- I've been saying for years now that security isn't at a state yet where it's sufficiently user-friendly. It's just not "usable" by the general link-clicking masses. In addition to that we market it quite poorly. The best advances in Information Security are often marketed to those that already understand - but we can't seem to get the message out to the general masses and grab their attention. NoScript is brilliant, right? Sure, NoScript is still not Joe-user-friendly but it's as close as we have to something usable - and I haven't seen any mass-marketing campaign to the millions of Internet browser fans worldwide. In fact... I haven't seen any mass-marketing campaigns of late that even hinted at security. Everything is "new functionality" and "cool" and "new widget" - not even a hint of more secure.

I can't just poke you in the eye and not offer up a solution to the issue - so here goes. As I see it, we have 2 choices. We can (a) make security transparent to the user or (b) make it sexy. I just don't see an option (c) anywhere. I think it's clear that making security a bolt-on has miserably failed, and will continue to fail well into the next decade if we don't shift the paradigm of security from forced adoption to something else (either a or b) then the overall state of the user won't be any better.

The Red Pill - "Make it transparent"
To make this work, step 1 is to give up on the bolt-on approach. Next it's time to start up a grass-roots effort to push better security into our respective industries. Browsers, Operating Systems, cell phones, ATMs, parking meters... whatever - we need to make sure better security is carefully cloaked behind a veil of cool the user won't recognize. This will require a concentrated effort and an entire abandonment of the patching principle we've all clung onto so tightly. Once we re-focus our efforts it will need to become apparent that applying fix after temporary fix is not the answer and that a permanent solution is needed. I can't see many people jumping on this bus readily because it involves a very heavy effort. It also involves a forceful shift of how Information Security has fundamentally behaved. We've always been the patch it after it's been released people; and with that the users of the world have come to accept that it's OK to release crap because Info Security will figure out a way to make it acceptable later. No more.

Better security simply has to become ingrained into the fabric of everything. Security needs to be an after-thought for every one of the millions of system users. Security shouldn't even be brought up anymore by the average user... it should just be an automatic, a can't-live-without-it safeguard that lives deep in the background. No user effort must be required; in fact, no user knowledge must be required to raise the bar on security. Make users safer from themselves without letting them know... therein lies your challenge.

Choose the Red Pill and choose sneaking better security into everyone's daily life - without their knowledge.

The Blue Pill - "Make it sexy"
Your other option is to make security the bag of chips here. Make it pop, make it sexy, make it cool. Make security the thing that everyone wants to work towards. Scare them into it, hypnotize them, or just educate them better in large quantities - but do it with pizazz. I can envision it now... a SuperBowl commercial advertising the next cool gadget ... to keep you more secure. Hire the marketing geniuses behind the iPhone... and have them market security. What would that look like?

Could the InfoSec community get a supermodel to advertise NoScript? (let's assume it was more usable for the average Joe). What about Tom Brady in a commercial where he foils a would-be attacker by creating a complex password strategy for his many online IDs?

You get the idea, making security sexy is not going to be simple; but it's going to take a two-step process capped off with a marketing frenzy. "Now 50% more secure!" needs to be the label on Windows 7, or some other operating system. Can you picture it?

Choose the Blue Pill and choose to make security cool... good luck!

Now I know that life isn't quite as black and white as this - but the reality is these are our realistic options. You know that patch-and-pray approach hasn't worked... so why keep it up? I honestly think we have just those 2 options before us; and if we don't pick one of them to try and shift security's approach to the world of risk - we're up for another decade of pain and failure.

No comments: