Mark Curphey – SecurityBuddha.com

39,000 ft over yet another ocean ……

I just watched an old Bill Joy talk from Ted 2006 via iTunes. Two key paraphrases struck me as prophetic.

“You can’t regulate the problem away”

“What we need is better networks”

In 2005 I did a series of public speaking events using a theme Naked security in which I stripped back the marketing hype and hopefully injected a dose of reality about the security industry. It take me a year to get a good pitch finely tuned and I then milked it for a few years. Last week I did the first speech on my new meme at a conference in Dubai. It’s called “Cogs and Levers” and is based on the chapter I have done for the O’Reilly book Beautiful Security.

“Cogs and Levers” talks ways we should harness critical social, economical and technological trends to create a secure digital world for the future. Those things are;

• Systems Thinking
• Social Networking
• Business Process Management
• Super crunching
• Platforms
• Identity

 Systems Thinking – Most security people are analytical. Analysts decompose a problem or a technology into discrete parts and then understand how that part works (or doesn’t); then re-assembles it with a new found knowledge of how to improve it. In doing so they generally pay little regard to the overall system in which the component lives. Think about software security where software security analysts (code reviewers) analyze the source code but not the social environment in which it was developed, the physical environment in which it is deployed or the host environment on which it executes. Without a shift to systems thinking we are fooling ourselves that we can design real solutions because we probably don’t understand the real problems. Only by understanding systems will we know where to get the best returns on our investment.

Social Networking – The old school says social networking is a the scourge of society and dangerous to our civil liberties. “People expose too much information” and" they cite the edge cases of crime or corruption while ridiculing friends who spend their lives getting “Poked” or send “Starfish” on Facebook. I agree, FaceBook drives me mad. How do you not accept friends requests without offending people you know in passing. How do you tell a parent at your kids school that exchanging a pleasant “good morning” is just fine but you don’t want to know what they do in the evenings and weekends. 

What we know from history be it through trading or through war is that when people connect big things happen. Bill Joy talked about the need for networks to fight global terrorism. Useful Social networks for information security will not look like FaceBook. They will connect distributed knowledge bases, real-time and historical data from security tools and connect people to match, aggregate, filter and exchange information.

Business Process Management – Workflow software enables the flat world. BPM technologies will allow us to divide work and parcel it out to the flat corners of the world where it can be processed cheaper AND | OR faster AND | OR or better. The automated code scanner finds a potential bug in an old but of VB code and parcels it off to the hippy living on a beach in Asia for his analysis. The IDS system sees an attack coming from China against a bespoke router, sends off the payload to the Chinese translators, sends off the attack signature to the peer-to-peer social network for analysis and the attack trace to the only two remaining engineers who really know if the router was vulnerable.

Super Crunching – Regulations will not work. “You can’t regulate the problem away”. Market forces drive economic change and when the cost of security becomes something everyone considers, people will act on Fact and not FUD. In order to get to a place where people can make informed decisions; you know like “what’s the real likelihood that this XSS will actually get exploited or show up in the media” or “How many security bugs per KLOC is an acceptable ratio” we need to be able to perform detailed analytics. This means data warehousing and mathematical analysis. The reason an insurance actuary can provide a price for me to drive a Ferrari is that there is empirical data to show that a rich middle aged man who goes out and buys a Red Ferrari is more likely to wrap it around a pole (showing off to his blonde bimbo mistress) within a few months than a middle income guy who chooses to drive an Aston Martin DB5 and just loves cars. Market forces (insurance) will drive change. Market forces require empirical data to provide a framework in which to trade.

Platforms – The reason why super cool apps like the app on my cell phone that allows me to punch in a location where I parked my car and at any time in the future get walking directions to find it again is because of a platform or several platforms. GPS platforms, mapping platforms, the app store distribution platform and the iPhone execution platform. If the author had to create all of these things in order to fulfill the basic requirements of a “find the car for ‘captain compass’ it would never get built. If you want to build an app to do some security management stuff you have to build it all yourself. Wiring tools together, correlating data, executing workflow etc…..in the future platforms will exist that can be used in mash-ups to do super crunching, social networking, technology connectivity and much more. 

Identity – is about so much more than user entitlements and user roles. What experiences can I share, how can I find someone with specific skills or knowledge and how do I trust that what this thing is saying is true all all tough problems to solve. Identity will play a key role in the future of systems (social and technological).

I think you can sum up a lot of what is wrong with the “security circus” today with an old Chinese proverb : When the wind blows some people build high walls while others build windmills.

I just love Ted talks. Inspiring stuff. This is the first meaning full post on this blog in about 6 months. I think someone should get a Ted type conference together for the “Future of Security : Ideas worth Sharing”. If someone (like Kleiner Perkins or a VC that invests in the future) will back it I will organize it. How’s that? I would invite (to start with);

• Dan Geer
• Pete Lindstrom
• Gunnar Peterson
• Dinis Cruz
• Fred Piper
• Phil Venables
• John Viega
• Rich Mogull
• JD Meier (How to Organize Information and Thinking!)

Who would you invite?

PS Yochai Benkler’s Ted talk on Open Source Economics (2005) is also quite superb! I continue to be a huge fan of the open source model.