In the world of security often those who are unable to see the criticality of such security tend to lean heavily toward convenience over security. Security takes effort and it often places extra requirements when working with sensitive information and most don’t want to take that time or effort to achieve that goal so they tend to dismiss, avoid and circumvent such security measures for extra convenience when performing duties involved in daily work.
Convenience is a killer of security, the bottom line for profit is also a killer for security and security generally is ignored because it reduces profits rather than increase profit. It isn’t until security is compromised and data/information, etc., is stolen that suddenly the bottom line is adversely effected then causing those in positions of influence to suddenly scream about ‘where is the security’?
Even in the dark underworld of the Internet where security is taken seriously and from the start there is no true secure system as shown from a recent article where bit-coin services were hacked and robbed with not one iota of a chance those who had those coins can be redeemed. The only true security is to unplug from the Internet and because of the invasiveness of inter-connectedness that is no longer a guarantee.
The only way I can see that security can even achieve a modicum of protection is by those in charge making security the highest priority in the creation, development and coding of all Enterprise Applications, etc. It is also necessary to provide harsh repercussions when the code is compromised even at the lowest levels. Gratification, convenience and profit must take a back seat to security for if not security breaches of the future will be so costly that no one can make a decent profit except those who are on the receiving end of such predatory thievery.
For instance, even apps for the phone or that ‘rented cloud based software program’ we use daily, if you are compromised while using it the coders who created it must be harshly fined by their parent company and the parent company must be harshly fined at levels commensurate to their levels of profit - the real profit and not the obvious presented profits. Enforcement shall be harsh enough where actual jail time is possible starting at the highest levels of said parent company.
Failure to provide adequate security is just plain stupid and irresponsible and that irresponsibility and stupidity shall be harshly dealt with from the highest levels on down to the actual coders. Everyone at every level shall “OWN” the security of their work, write out in long hand their responsibilities and then frame, hang in a position to read daily and then live the acceptance in all they do - security is foremost in their minds and the first thing they work on at the beginning of every days work. This starts with the CIO/CFO and trickles down to the fledgling coder in every software and associated company.
The actual hand writing of the contact of promise to security shall be televised so that every customer or potential customer can bear witness then the hand written personal contracts are to be stored in original form electronically and displayed prominently on the company web sites and other such ‘company face’ and used to remind the individual they own security in all they do for they control the screens, control the code and control the Internet for good and evil.
Only when such responsibility and ownership is created, assumed and witnessed can security become secure through diligence, effort and ownership of every person, persons and leadership. Until that is achieved such security breaches as at the OPM recently addressed at Kreb’s on Security can such compromises be, at a minimum, mitigated and prevented.