When will they learn?

Reuters has (via Yahoo!) this article which reports that execs from 150 companies are beseeching software vendors to make products that are more secure. The article ends with the following quote:

"There will probably come a day when security is seamless, invisible and automatic, but that day isn't here yet"

That day will never come. Security is not just about technology and writing more secure software, although the software industry can do much to improve in this regard. Cybersecurity cannot be completely automated. Effective security begins with management policies and a real commitment on the part of management to enforcing those policies. Effective security begins with a risk assessment to ascertain the value of each information asset (some of which may be intangible), identification of the risks should the asset become compromised, and identification of appropriate countermeasures to mitigate the identified risks. As there is a cost associated with the deployment of countermeasures, this must be weighed against the value of the asset in determining which countermeasures to apply in a given situation.

Sure, we all want more secure software, but we must all recognize that that alone is not enough. There was a patch available from Microsoft that would have protected against the recent Sasser worms, yet many companies were infected... because they lacked an asset management policy of ensuring that all critical security patches are applied in a timely manner, and they likely did not have a policy for requiring a personal firewall on all systems; either or both of which would have prevented infection by the Sasser worms.

The only totally secure system is one that is locked away in a sheilded room with no key, and isn't plugged in; but what use is that?

Note to the 150 execs calling on vendors to produce more secure software: get your own houses in order. There is no free lunch when it comes to security.