Why don't companies buy more secure software?

Bruce Schneider on balancing security and functionality

How does the regulatory environment and the security people being told, "We have to put this on for compliance," or "Sarbanes-Oxley is going to get us if we don't do this," really push companies toward better security?

It's a mixed bag. Here's the basic idea behind regulation. We as a society don't believe that companies are investing enough in security -- too many viruses, too much personal information stolen. And we can't convince them to do it, so we pass a regulation. We say to the company, you're not going to do this because you want to, but you'll do it to avoid being fined, going to jail, whatever the penalty is. So the regulation is a stick that we gave corporate security officers to beat their bosses over the head with and say, 'give me more money for security. Look, you have to.'

Now, that's the way it works in theory. In practice, the devil is in the details -- it depends on the regulation. We find that regulations actually do free up more money for security. Corporate security officers are able to do more things because there's more money, because there's more focus, because of the regulation. On the other hand, they have to spend a lot of money on complying with the regulation itself -- the paperwork, the ancillary processes, the things that don't improve security. So, regulation improved security, but it's lossy -- a lot of money is wasted in the process. Whether the current regulation regime is good or bad, I think the jury is still out. I'm somewhat satisfied, but I wish it were better.

Should we be encrypting all our laptops?

I certainly do. I travel abroad a lot. I leave a laptop in my hotel room a lot, and I know that there are lots of instances of governments, of corporations, grabbing files. I don't want my laptop stolen. Now, I don't encrypt everything. I have an encrypted virtual drive. I have encrypted zip files. I work it out; so I'm still able to work. But because I travel a lot, I do. I think a lot of other people should, too. The U.S. Government has recently announced that they are going to let a huge contract for encrypted laptops in the government -- I think that's really great because now they're going to use their buying power to increase the quality of these products and that will help us all.

Laptops are particularly vulnerable. If you think about it, we have a lot of information on them, and they're easy to steal. But you start going along those lines, and you realize your cell phone is incredibly valuable. I have a Treo. And my Treo has my contact list. It has my calendar. It has several key documents. And this is something that is very easy to lose. And encrypting that is important. Then you look at memory sticks or little compact flashes. We're putting more information in smaller and easier to lose devices. And encryption is a way to protect us if they get lost or stolen.

On your blog, you said, "I would very much like to be a Linux user, but my tech support options are all Windows." So, what kind of tech support contract would you need in order to be able to switch?

It's less of tech support contract; it's more what my company does. I'm not going to be different than the rest of my company just because that's hard to do, and the corporate structure is Windows and its Outlook. I've managed to fight Outlook. I've used Eudora. I've used the Palm calendar. I've used Opera as a browser. But I still have the underlying Windows operating system. If there was corporate tech support for Linux I would switch. But it's really easier for me in my life to do the thing that my tech support department can support easily and cleanly. I know this is sort of the age old question at a Linux conference -- why don't you? And I think morally I feel bad about it. I should. But it's just easier for me in my life right now to use the thing that my peers are using.

I had to make the same decision when I came to Network World. Everyone else had a desktop machine running Windows, but for me, for times when tech support is unavailable, I don't trust myself to competently administer a Windows box. So, I went ahead and blew away the machine and put Linux on it.

It makes sense. And if you do your own tech support that's great. And if I took the time to become enough of an expert to fly solo, I would. But it's a question of where you put your priorities. And for me that feels like a lot of work. And I have other things to do. So I take the easy way out.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about ACTAmazon.comBlackBerryGoogleHISPalmTop LineWeb Security

Show Comments