Industry matures, show demonstrates

Angus McIlwraith

Veteran show-goer Angus McIlwraith was pleasantly surprised by the product maturity evident at the recent Infosecurity exhibition in London.

Walking round the London Infosecurity 2006 exhibition, I was astonished. Most of the products and services on sale seemed rational, useful and sensible.

It was the first time in many years that I've been at the show and not been on a stand, and perhaps this made the whole experience more enjoyable. Maybe it clouded my judgement, but exhibitors definitely seemed to offer fewer than usual useless items.

However, there were some duds or at least items of very limited desirability. One was a LAN encryption module that slotted between your LAN and each workstation. It didn't affect speed, nor did it require any intervention. The cryptography was proprietary, and each device contained the same key. While this would prevent casual eavesdropping, it would not take much to purchase a module and plug your machine into the LAN and capture all the traffic in clear.

Maturation

I also felt that there were fewer very small companies selling very bespoke products. Perhaps the information security industry has finally decided to mature and produce facilities that interconnect, meet well-written standards and enable organizations to get on with their core business.

When discussing this with a colleague who had attended the lectures, he mentioned a session that suggested there are two sorts of security person, enablers and preventers. The enabler seeks to interconnect people, write well-written standards and help people get on with the business of the day. Preventers stop people from doing things.

While there are security maxims that we should not dismiss, the emphasis on prevention is not healthy. One of characters in Scott Adams' Dilbert cartoons is Mordac, the preventer of information technology. Mordac (so obviously the in-house security man) once demanded that a new password should consist of "The entire text of The Da Vinci Code, other than those parts I don't believe".

Objects of derision

This sort of behaviour makes us objects of derision. Our work is hard enough without having to battle the prejudices of the very people we are trying to convince to behave securely, or when begging for budget.

I suspect that there are circumstances and cultures where
prevention is much more acceptable; national security and the military spring to mind. I can understand the need for rigidly enforced information handling practices if you are dealing with government information, or which could kill someone or harm a multi-million dollar project if it was handled inappropriately.

But such stringency can seem a bit silly when applied to less critical situations.

Enable

The mantra 'you can't do that, it's against policy' wears thin if constantly applied to inconsequential things. I suspect that inmost cases an enabling attitude, where security measures enable people to do things securely, will have a better, more secure effect than a preventative attitude.

In time, being seen in a positive light will make your occasional negative decisions more acceptable. If your default response is 'yes', then your 'no' will be taken more seriously.

The information security industry has to adopt this positive, proactive enabling approach if it is to mature. It will help align us with core business, and make that for which we are responsible more secure.

Proper enabling security lets us connect to wireless hotspots without concern. We can use hostile networks (like the internet) to connect cheaply. We can use a PDA to operate from anywhere in the world with a web connection. All in all, we can and do make things possible, securely.

And as the industry matures, perhaps we'll see the end of the rest of the useless, defunct and ill-conceived products and methods currently available. There are a few, (risk analysis methods, crypto products and the like) that I'd like to see the back of. Maybe they won't be at Infosecurity 2007.