Consider this, if we put the lineage of the internet into the context where we compare the latest & greatest advents in “cloud” technology to the history of technological advancements in say the automotive industry we are probably somewhere around the ‘57 Chevy era.
At this point, there have been some great advancements under the hood in recent years but concepts like seat belts are still an afterthought. In many cases, we’ve moved past the stage where we need to manually configure a whole bunch of things. In the automotive paradigm, we’ve just passed the “Model T” stage where there were a whole bunch of extra levers and knobs that anyone wanting to operate the machine had to fully understand and know how to use properly because if they didn’t, the whole contraption could blow up!
The business case for the automobile didn’t call for all those levers and knobs; they were a necessity at the time for the technology to get the job done. Today most people won’t even realize the automation that happens under the hood in the modern automobile but it's there.
In the 50’s no one thought twice about the lack of seat belts let alone something so outrageous as airbags. Was the threat any different? No, the potential for damage, even loss of life, is effectively the same today as it was then. It took a long time for the industry to evolve to the point where security was a key driver in the market. I believe that is where we are in the Info-Tech space today. I’m sure years from now people will be looking back horrified to think that we didn’t have more automated methods in place to mitigate the negative consequences of things like Heartbleed. It may even be inconceivable for the next generation to think that the systems we use didn’t have some kind of regulator built into them that would react to the threat. In a way, it’s not unlike how we would find it difficult to imagine a new vehicle rolling off the production line today with a manual choke (for the younger readers that never owned a 70’s era vehicle, it was once a very necessary knob that you had to pull if you ever wanted to start your car in late fall or winter).
At the end of the day, business drives innovation. That’s how we ended up with side impact airbags and anti-lock brakes but those things were a lower priority when compared to some of the benefits that vehicles offered like speed, reliability, and maybe even comfort in come cases. Bootleggers outran the cops with souped up machines around the turn of the century (that inspired Nascar) and in our parallel IT universe, ever faster networks are in many cases driven by the demand for video content that may or may not come from legitimate sources, but the net effect is that our IT systems are more advanced as a result, yet security is often an afterthought or assumed to be in place when all to often it's not.
Here’s a simple example: Right now everyone is preoccupied with patching openSSL and for 99% of the world that’s a manual process. How many of the folks doing that are also resetting their associated SSL keys? Any knowledgeable security conscious sysadmin worth their salt will tell you it’s an automatic consequence given the circumstance, but I’d bet that less than half the folks who should be doing that job today actually are doing it to that degree of completeness. Why? Because almost no one in the business world will know the difference. Does this remind you of the kind of faith you have in your auto mecahic when he/she tells you that they have fixed the problem with your transmission for the last time? The fundamental challenge in IT today is how to truly understand what the priorities are as seen by the business. I'd go so far as to say the top 3 are: #1 Deliver Business Value (of some kind or another), #2 Reliability, #3 Performance.
The business world is provided the assumption that within priority #1 or #2, security is inherently understood to be included and, in some cases, it is. But for the most part that assumption is questionable and needs to be constantly validated so we invent well conceived methods that have fancy acronyms to try and attempt to do that like PCI, HIPAA, SAS 70, & SSAE to name a few. The problem is that with the rapid rate of change those methods struggle to be truly effective (and are very expensive). In the example of Heartbleed again, the only realistic solution to the problem is to have a system in place to respond to the the threat in as close to real time as possible. None of the aforementioned compliance schemes are very good at making that process effective nor should they be. In a way, it’s not unlike the emerging automatic impact avoidance technology you are starting to see in the newer vehicles on the market today. Regulatory & Compliance authorities did not drive that innovation. Imagine a platform that could be smart enough to recognize the patterns of behaviour so that it could intelligently anticipate and respond to threats in advance of them emerging. That is where we need to be to deliver value to the business from a security perspective.
I for one take at least a little bit of nostalgic joy in the current state of affairs because I know in the future we will be looking back at these days talking about how we didn’t even have seat belts in our bitchin’ camaros!
