A few years ago a dentist that I consulted with recommended me Dental Protector for Night Time Teeth Grinding. She mentioned that I grind my teeth during sleep. How in this world can I disprove her statement unless I have some external observer to monitor me all night to validate my teeth grinding!

Security is invisible. Customers are willing to pay for visible software product functionality but not for secure software product development methodology. Unfortunately, most of the security is in the backend, if security works well, truly, it should be "invisible" and the fact that it hidden does not motivate customers to pay anything extra. Security incidents motivate customers to act, this is the time when security becomes visible but the limelight fades away as soon as this  incident is handled.

We as security professionals see: the internal mechanics of software security and also can speculate ramification of poor software security in customer deployment. Because we see this we can't expect customers to pay for it. Making security visible to the customer will defeat the whole purpose of security and making it invisible diminishes the value of security. It is a dichotomy that we (as security professionals) have to manage and live with.  Customers who notice and are aware of security may start check on of the security aspect of a product before buying it. Unfortunately, security is just one aspect, buying a specific product vs. other products purely based on security is a pipe dream. In the distant future when all products have security built in, security won't be a differentiator anymore and visibility of security will diminish even further.  

If security was highly visible, we would find Steve Jobs touting security on stage at MacWorld. May be this is the reality check for security professionals.

Dave has an excellent blog post on how media affects our risk perception. Dave Hitz is the founder of NetApp.

This is the what Dave says:

"A good risk management plan should take into account hurricanes, lost tapes, lost laptops, and maybe even terrorist attacks, but realistically, headlines typically don't highlight the most important risks. You are much more likely to lose data from human error or inadequately tested backup and recovery processes than from floods or attacks, but inadequate processes don't make good headlines. In addition, headlines fade quickly – if something becomes frequent it's often less newsworthy, but the risk remains. Our more sophisticated customers, like financial institutions, build risk management models that already include the items most likely to show up in the headlines, and if they use media reports at all, it's to update some aspect of their model, like the probability of a particular event, or the impact and cost.

In summary, don't worry about terrorists until restore from your nightly backup is well tested. "

More details can be found on his blog here.

I was fortunate to be introduced to a good ex-Microsoft Security person, Shivaram Mysore.  He has an interesting whitepaper on Web 2.0 Security. It is worthy read. The whitepaper gives a brief introduction to service models available and aligns your thought process around securing Web 2.0 around these service architectures.

I recently attended the pre-screening of the Information Security documentary titled: The New Face of Cybercrime. The documentary was very nicely done, considering the Director Fredric Golding has no background in Information Security.

The thought leaders panel discussion was very stimulating. Being an analogy person, I liked analogy narrated by Howard Schmidt , Former White House Security Advisor, about evolution of Information Security and evolution of Firefighting. In the past, Firefighting was a reactive approach but these days people factor in the the threat of fire pro-actively into the building design - sprinklers, fire retardant materials and so on. Another panelist Ted Schlein, Managing Partner KPCB, mentioned the security spending is around $12 billion/year vs. the loss due to information security breach is around $100 billion/year - trail of money always sounds interesting to me. There were lots of discussions about Inside-Out vs. Outside-In approach to Information Security.

Thanks to Fortify for putting this event together. I am sure we need more such events should happen amongst the executive crowd to bring a high level of security awareness.

Lastly, I would like conclude this post by quoting the importance of user awareness because user awareness determines the "usage" which is a very important component for a the threat model of an information system. I conclude by repeating the popular quote: "There is no patch for stupidity".