By Kurt Seifried

The phrase “information security” results in about 5 million Google hits.

So why are there so many hits on “information security” I wonder? I suspect because risk management is a whole lot harder than handling income tax. Income tax. although complicated, does actually have a set of acknowledged rules (the tax code for whatever country you live in), and although this set of laws and acts spans a wide variety of topics and several decades (and in some countries centuries) we at least have a set of rules by which we play.

Information security has no set rules. We have guidelines and standards such as PCI, ISO17799 (which is actually a pretty good read) and Common Criteria to name a handful.

We have no widely accepted best practices, just look at the resistance to PCI (the deadline for compliance has been *AHEM* “extended”).

Although information security and risk management shares some tools with the income tax industry (such as auditors and audits) the systems being audited are vastly more complex and difficult to test.

In other words we have all the classic symptoms of a young and immature profession (and some might say ineffective).

So what’s the answer? I think we are making headway with various standards and guidelines, something is definitely better than nothing, and as they become more accepted and mature things should get better. Hopefully some day we’ll have an information security equivalent to GAAP (Generally Accepted Accounting Principles). Of course to have this we need products with reliable and predictable behaviors, especially in abnormal situations (e.g. malicious input such as SQL injection attempts, etc.). In all fairness this probably won’t happen without some significant changes in the way security is built (not a single major method specifically addresses security). So we can add a whole new set of software development paradigms to our wish list.

But like JFK said:

We choose to go to the moon. We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too.

If we can get to the moon with 60’s technologies we should certainly be able to prevent people’s personal information from being sold in IRC chatrooms.