harris development

You know those of us in the security industry have been wringing our hands over that question for years, for decades. Why don’t they do it? There are a couple of reasons. The first is -- it’s sometimes hard to tell what a secure product is. I can hold up two products; they use the same buzzwords. They have the same protocol standards. What is secure, and what isn’t? And you don’t know. And these might be security products. These might be networking products or office products. It’s very hard to tell what a secure product is and what an insecure product is. That’s reason one.

The second reason, companies actually don’t want to be secure, that’s wrong. They want to be secure, but it’s more important to be able to do things. So, installing a firewall, which would make you a lot more secure, a company is going to configure it pretty much open because it allows them to do peer-to-peer file sharing or use this application or do that or check their mail from afar -- all those things they want to do that go against security. So, when security goes against functionality, it often loses, especially at the high level. You can tell a lowly employee to be secure, but you’re not going to tell the CEO. That’s the second reason.

Yes, it's another Schneier related piece -- this time it's an interview with LinuxWorld.com, but it's worth reading.