RSA: Dealing With The Information Security Professional Shortage

It's first day of the RSA convention in San Francisco, and much of the talk is about the shortage of trained information security professionals, and what to do about it. Outreach to universities, diversity in hiring, cyber security games for kids, more entry level positions, better mentoring... there are lots of good suggestions on the table for increasing the numbers of people in the security business, but it all begs the most important question of why we need so many people working to keep our systems and data secure. Frank Dickson, one of the panelists discussing the (ISC)2 2015 Global Information Security Workforce Study, came closest to the answer when he pointed to the fact that ten years ago the survey showed that vulnerabilities in applications was one of the top concerns, and it is still a top concern this year. We have have known about the problem of insecure applications for the past decade, and there has been no improvement in the situation. We need so many security professionals trying to keep our systems and data safe because our systems start out fundamentally insecure. There is a tradition, alas probably apocryphal, that when the Romans built a bridge the engineer responsible would stand under each new arch as the supports were removed, so that if the bridge collapsed he would be the first to know about it. Even if the story is not true, Roman engineers did take full responsibility for their work, and there are bridges they built that are still in use two thousand years later. There is no software company today that will take any responsibility for their work. In fact most software licenses today devote a lot of legal verbiage to explaining in detail just how little responsibility that company is willing to take in the event that their software is buggy, does not work, or indeed does nothing at all. I grew up in the town of Walsall in the West Midlands of England, the region where the Industrial Revolution started. Just as in Northern Italy in the Renaissance or Silicon Valley today, for a while the best minds of the time congregated in one place to change the world. Like the Homebrew Computer Club in the 1970s and 1980s, the Lunar Society of Birmingham in the mid 1700s was an incubator for the ideas that would revolutionize science and industry. Silversmith Matthew Boulton and potter Josiah Wedgwood developed the first production lines. Boulton went on to be the venture capitalist for James Watt's steam engine, and participate in experiments on electricity and acoustics with a visitor from the colonies, Benjamin Franklin. Physician Erasmus Darwin speculated on fossils and natural history. His son married Wedgwood's daughter, and their offspring was Charles Darwin. While Birmingham has statues of Watt, Boulton, and McAdam (who invented tarmac) my own home town has a statue of a very different type of person, a nurse called Sister Dora. [caption id="attachment_6311" align="aligncenter" width="339"]

"Statue of Sister Dora - geograph.org.uk - 682348" by Derek Bennett. Licensed under CC BY-SA 2.0 via Wikimedia Commons.[/caption] With the Industrial Revolution came accidents and injuries of a volume and severity that had not previously been seen outside wartime. The blast furnaces and the steam powered machinery of the new industries were introducing new dangers to the workplace. Sister Dora devoted her life to caring for the injured, and was much loved by those she cared for. Railway workers raised money to buy her a pony and trap, so she could more easily visit housebound patients. A 19th Century observer in the ward of the Cottage Hospital where Sister Dora worked looking at the influx of injuries from the factories of the West Midlands, and the increase in industry expected in future years, might predict the need for a larger hospital and more nurses, but the real solution was to make the factories safer. There are two mechanisms for reducing industrial injuries. The first is government regulation to outlaw unsafe practices, and the second is holding employers responsible for negligence or malpractice that results in injuries to their employees. I don't believe that we will see secure software until we are able to hold software developers responsible for negligence or malpractice in their code that results in losses to their users. I don't expect we will get there soon. Sister Dora was working about a century after Boulton set up his Soho Manufactory, and little had been done to improve safety conditions in that time. But perhaps there is a niche in the market for software that comes with a warranty rather than a disclaimer. Suppose you had a choice between a server platform that was free, and came no warranty, or one with a substantial license fee but that would reimburse you for any loss or damage caused by security or other bugs in the system? I think there are many enterprises that would opt for software that someone is actually willing to stand behind. In particular, I could see this becoming a standard for government purchases. Of course, the software companies willing to warrant their software would probably need to buy insurance themselves, which means that insurance companies would be in the business of monitoring the security of the software they insure. From this might come a code of practice that could eventually result in government regulation mandating secure and reliable software development and outlawing weasel worded disclaimers in software licenses. That might seem far fetched today, but the health and safety regulations of a modern workplace are a far cry from those of Sister Dora's day.