Will it End?

WILL IT END?

I have a fairly eclectic taste in music, and I must admit I have recently started listening to a band called the "Dropkick Murphys". Well... I enjoy it anyway. They have a song called "The green fields of France", very good and it is about World War 1. But there is this one verse..

And I can't help but wonder oh Willie McBride,
Do all those that lie here know why they died,
Did you really believe them when they told you the cause,
Did you really believe that this war would end wars?
Well the suffring', the sorrow, the glory, the shame,
The killing and dying it was all done in vain.
Oh Willie McBride, it all happened again,
And again and again and again and again!

Now leaving aside the significance of the verse in the context of the song, it also seemed to me that it spoke about a serious problem we have in IT security (bear with me here). We have been telling business for a couple of years now that x threat is of the utmost importance, that if you do not address x threat it will cripple your business and that if you get y protection all your worries will be over. We basically told them "that this war would end wars". The problem is .. "it all happened again". And why? Well it is very simple, we lied. And worse then that, people believed us.

The truth is that there is no silver bullet, there is no ultimate solution, no nice-and-clearly-defined solution you can drop into a business to secure it forever amen. But that is what businesses hear, vendors tell them that ("Buy this product and you will get no more spam"), their IT people tell them that ("Get a firewall and our troubles are over"), auditors tell them that ("You are compliant so do not worry"). So why do all these people who should know better lie? Sometimes it is to make sales, it could be because they do not know any better, or they could not care.

Right about now, there are a bunch of people reading this going "Hey, thats not me, I did not lie! I told them the war would never end..". Now assuming I believe you (of course I do), why did nothing change? Because business shares the blame. You see, they want to be lied to. Business have had many people tell them the truth and if nothing else, pure experience should have taught them what was what. But no, they want nice simple answers, they do not want to hear "The only way to 100% eliminate spam is to unplug the network cable from the email server.", they want to manage by magazine, "Hey IT guy, buy this because this article says it can stop all hacks", by buzzwords "We need a cross-platform, e-portal application servicing grid-setup", or -my personal favorite- the relativity principle "My son / cousin / niece / wife / gardners-cousins-girfriends-hairdressers-brother can do...".

So we have on one hand the liars and on the other the people who want to be lied to. The trick is which came first?

So what can we do? We can tell the truth, we can be honest. People may not like us, but I can promise you this - You will never be wrong. You see, hacking will never stop, nor will viruses or spam in fact the threats will mature, mutate and get nastier. Viruses are a good example, 10 years ago a virus on your machine could almost be funny, a bouncing ball across your screen or some humorous text upon startup. Now days they steal personal information, disable protection software, enable other malicious software to be installed, allow your machine to be used for other attacks and can even be used for blackmail purposes. Now any defense that worked against the first level of threat has no hope against the second.

You see, the war will never end, we will always be working at securing networks and resources because things change. Please realize that we and our defenses must change with it, we should even try to change proactively. So security people, tell the truth .. and business people, listen. Security threats will happen again and we will need to defend against them, " And again and again and again and again!"