Thursday, January 18, 2007

How to sell Information Security ?

I am not sure about you but I face a tough time selling the importance of Security to people. This article by Schneier was very impressive and made sense to me. If you want Software vendors to deliver quality secure products, then laws should be passed to add liabilities on Software vendors for the Security holes they deliver. This way Vendors will be forced to comply and come up with Secure Softwares. I wish a compliance similar to SOX gets enforced on corporates so that Secure Softwares are developed and deployed. But there still remains the problem of the already delivered thousands of Software products and solutions which have failed to consider Security during the design. You can never add a layer of Security into any Non secure system and claim it to be secure.Deriving a solution to this problem would be really interesting rite !!

4 comments:

Anonymous said...

Well Joe, how do you handle free software? Do you wanna make them liable as well?

Joebi said...

Good question Kanth. How about having legislative liability apart from financial liability. If Open Source project screws Security, they would be penalized by law which would question their existence. The Security tests by DHS on OSS is very much appreciable. OSS wouldnt like their deliverables being shelved by DHS or by its users just because they lack Security, would they ?

Anonymous said...

Hmmm...

How about NSA's involvement with Windows Vista?

http://www.schneier.com/blog/archives/2007/01/nsa_helps_micro_1.html

Some folks surmise that they embedded a Trojan instead of protecting from them!!!

Joebi said...

When NSA reviewed DES and tweaked it before its release in 1975, there was a conspiracy that NSA had injected some backdoors on DES but when after almost 15 yrs of research, it was acknowledged that NSA had actually fixed a potential weakness in the Algo. I hope the same with their recent Vista tweaks.
btw, do we need someone else like NSA to add more Security loopholes / backdoors in Vista apart from MS ? just kidding :)
One more interesting fact is that SELinux was prototyped and released by NSA.