1 – not really valid – we’ve said open source code gets more secure, more quickly but it is the security focus of the development cycle that determines if code starts out and ends up more secure.

2 – Running applications in multiple processes by no means guarantees that “no application gains critical access to system components”

3 – Starting from Linux does not guarantee a more secure OS.

4 – Access restrictions that somehow guarantee that applications won’t harm the user or touch sensitive data would be very nice. No evidence that they have actually achieved this.

5 – Code signing support, nothing new here, but a good thing.

6 – Total hogwash: “Google has shown time and again that it is focused on user security.” Not been true to date any more than any other software vendor.

7. – More hogwash – putting the bug reporting email address on your web site is pretty standard for every software vendor. I did a RN grading IT vendor web sites on this and other web site security pages over 5 years ago.

8 –  Sounds like the UAC feature in Windows Vista, which didn’t exactly prove to be effective, let alone popular.

9 – Not building a media player into the OS is a good thing, but the claims that “One of the most common ways attackers gain entry to a mobile phone is through audio and video running in a web browser” is a totally false strawman.

10 – “Google gets the web” is certainly valid, but so was “Microsoft gets the desktop” – Google certainly does have a good view of web sites and through acquisitions of security companies like Postini does have a good view of malware running out there.  However, talking with Gartner clients at our security conference and the recent Symposium I listened to many complaints from unhappy Postini customers since Google acquired them – it is not clear that Google actually “gets” how to secure the web.

Yesterday, I pointed out that “Transparency plus inspection is the friend of security, freshness not so much.”  This certainly holds true for Android – transparency and freshness, yes – inspection, not so much yet.

The staffer will likely be fired – there is surely some policy document they signed forbidding this and detailing their responsibilities and the consequences. But the damage has been done, the information is out. Combine the “myth of the responsible user” with the complexities and low security levels of consumer grade software and configurations and you have lots of these incidents occurring daily.

Now, the knee-jerk reaction will likely be to try to legislate bans on P2P software but that is dealing with the symptom, not the problem. The problem is that normal users can never keep up with what needs to be done to keep business data secure on their home PCs or on consumer-grade web sites and services. Enterprises have to put security controls in place to monitor, contain and ultimately secure the use of all business information, whether in the data center, on a managed PC or on a home PC.

There are actually a number of ways to do so – in “Optimal Approaches for Secure Use of Consumer IT” Mark Nicolett and I detailed a strategy with some typical scenarios. None of the solutions are perfect, but there are many ways to match the business need for use of consumer technologies with an appropriate risk level – just ignoring the use leads to incidents like what hit Congress.

Now, this may sound like the pot calling the kettle mercenary – Gartner has lots of conferences where lots of vendors pay Gartner lots of money. But, I dunno – I sort of expect a government-run security conference to be different than one run by private industry. I miss the old National Information Systems Security Conference (NISSC) that NIST and NSA used to hold.

Especially for a conference focused on the Security Content Automation Protocol.  SCAP is a great idea – anything that makes it easier for security information to be more easily accessed, exchanged and correlated is a good thing. Being able to feed vulnerability information from any vendor’s assessment product into any other vendor’s mitigation or intrusion prevention product can be a very good thing.

However, the end goal always has to be  to increase security by reducing damage – not to have more spending on more security products that will do nothing but send vulnerability and threat information back and forth in the name of “situation awareness” or “risk management.” There was way too little of the former and way too much of the latter being discussed.

Essentially, French felt regulation done right was needed and would increase cybersecurity. Earl said that capitalism had no conscience and regulation is always needed to inject that, security no different. Paul’s position was that regulation was needed to get management to pay attention.

My position is that regulation around cybersecurity can’t be done right, hasn’t and won’t inject security, and only causes management to pay attention to compliance not security. The difference is critical – government regulations can only work when something is stable enough for slow moving legislators to write regulations that can lead to some audit against some stable standard. Information technology is definitely not stable – software engineering is still an oxymoron. Most everyone agreed, and said that’s why the focus of legislation should be around “risk” not technology mandates.

I left the conference audience with my prediction: risk is pretty much like obscenity. It is impossible to define, but we all know it when we see it. But we all see it differently. Legislation around obscenity has a long torturous history of failing – especially where technology is involved. And technology is at the heart of the cybersecurity issue – that’s the cyber part.

My prediction is that any legislation in the next 5 years trying to mandate cybersecurity levels will be as completely ineffective and money wasting as the V-Chip legislation was in the US in trying to deal with inappropriate content over televisions. I’ve used this analogy before – back in 2001 when the browser industry was trying to claim the use of Platform for Privacy Preferences technology would solve web privacy issues, I wrote a Gartner research note “P3P Will Be the V-Chip of the Internet.” That proved to be pretty dead on.

Many have this vague hope that if government were to issue security regulations or if security reported to the President or if CSO’s were on the board of directors, then security would dramatically increase.  This hope is based on a delusion that security has the answers, it is just that no one listens. Basically: we have built it, but no one will come.

But when you look at most of the answers that come from those complaining that no one listens, it is basically “Look, it hurts when you do that – so don’t do that.” Essentially, if users would just obey the security 10 commandments and stop sinning, security problems would go away. It is as if the highway department said “we need a cabinet level traffic safety czar to convince people to drive safely.”

The answer will never be hoping people’s behavior changes towards safety – the answers are all about building safety in. Which is exactly what the most successful security programs do, and it is no coincidence that those doing that the best are very rarely heard calling for more regulations, cabinet level cybersecurity czars or waiting for users to stop falling for cyber-scams.

For whatever reason, Gartner and Disney made a lot of changes this year. The 1-1s and analyst rooms have moved and even worse Disney got rid of the oatmeal soap and now has some sissy Mandarin Mint soap – horrors! It’s funny to see how much these changes have upset the routines of long time attendees, both analysts and clients. Humans really don’t react quickly to change.

For that reason, attackers love change – it always creates openings. The best security programs do react quickly to change. Change in business processes, change in technology, change in threats. These days its all about how quickly you recognize change, how quickly you block threats – but just as importantly how quickly you move from trying to block use of a new technology to containing the use to embracing and securing the use of new technology.

Looking through my calendar at the one-on-one attendee meetings scheduled, the topics run the gamut. However, a few trends stand out:

1. Mobility – secure telework, secure use of smartphones and WLAN security questions.
2. Outsourcing – the terms are different (”use of the cloud” replaced “consume X as a service” which replaced “use an external hoster” which replaces “outsourcing”) but the questions are still about how the business can maintain security while outsourcing some function to external parties.
3. Threat update – what are the new threats we should worry about?

The questions I don’t see are to me the most interesting. Things like “How do I keep our corporate websites secure?” and “how do we make sure we aren’t already compromised by bot clients?” are missing. Essentially, there is a lack of attention to the current state of security.

Corporate web sites and desktops that are already compromised is a significant problem today, but the here and now is always boring – especially to the higher level attendees of Gartner’s IT Symposium. But the block and tackling of reducing current exposures is really where most of the gains will be made to make sure that mobility can be supported, that social networks can be used, etc.