The web dictionary defines 'codependence' as (I quote) "a mechanism whereby a person takes responsibility for the actions of another and helps them avoid facing problems directly in order to preserve stability in a family relationship." End quote. The canonical example of a codependent relationship is one in which a family member is alcoholic or abusive, and the rest of the family orbits around them trying to do whatever they can to avoid angering them. One of the pernicious hallmarks of a codependent relationship is when the party that is actually being abused takes the blame for it; "he wouldn't drink so much if I made him happier."
Does this sound familiar?
If you're a security practitioner, it should. That - in a nutshell - is the "typical" relationship between computer security practitioners and business managers. Security practitioners are always bending over backwards to try to make things convenient for executive management. Like a battered spouse, we complain to our therapists, "if we could only make things a little easier for them, then they'd be willing to take a few steps to secure their systems. But let's be honest: we don't do this because we actually think security is inconvenient. We know it's not exactly a hard problem. I've seen perfectly rational security practitioners bewailing the fact that "there is no way we'd ever get a manager to use an eight character (with one non-alpha character) password. It's just too hard." Or, "maybe if the government or insurance industry puts a gun to their head, they'll take security seriously enough to understand the problem.
What a load of manure that is.
If you were able to offer a security solution to an executive that was 100% convenient, don't you know that there would be another excuse ("too expensive!") right behind it? And behind that: another excuse ("might impact performance!") ad infinitum. It's like arguing with a child - a child who controls your paycheck. Codependence, indeed.
Think about it: these people aren't stupid. Your typical executive can run a spreadsheet, understand a budget, figure out all the controls in the dashboard of their Lexus, and - if you asked them to - compute the net value of their stock options at the current price, including factoring in the strike price and alternative minimum tax. They can certainly remember an eight character password (with one non-alpha character). They just donít want to.
Let me be frank. What about the job of "Chief Technology Officer" of a major corporation entitles one to be stupid about technology? I keep running into senior IT managers who play stupid - but it's the same game (I hope I'm not revealing any secrets here!) that most married guys play on their wives: they get out of doing the laundry by washing her white underwear in the same load as their bluejeans and are summarily excused from laundry duty henceforth. When an IT manager fields a system and "forgets" security, they know full well that the poor codependent security guys are going to scramble to cover their backsides - and they get to remain blissfully ignorant forever more.
It makes me fantasize about writing a memo to the board of directors at some company "We gave the CTO an IQ test and he failed. He couldn't remember an eight character (with one non-alpha character) password for his hard drive encryption, so we set the password to his wife's name. When he couldn't remember that, we tried his dog's name, but he said "SPOT" was too tricky. This guy isn't qualified to work a vacuum cleaner in the hallway, apparently, never mind overseeing our global network, outsourcing programs, and development labs." That would be the most creative letter of resignation, ever.
So what is really going on?
It's clear that security will always be exactly as bad as it can possibly be while still allowing senior managers to survive. Whenever it gets across that line - worse than it can possibly be - there will be a brief fire-drill in order to duct tape things back together again until next time. If that sounds too cynical for you, please, dear listener, go read the last few years' reports of computer security reviews on federal agencies. In the federal government, there's no board of directors to go to when you're dealing with poor senior management - and the government's reaction to bad managers is to increase their budget because, obviously, they wouldn't be as stupid if they had more money to spend.
Is there any hope?
I'm seeing some encouraging signs of "getting it" among the younger executives of the dot-com boom. These are the guys who grew up on the Internet. Remember an eight-character (with one non-alpha character) password? Heck, they'll argue with you about whether your password hash should be SHA-1 or IDEA. Firewall? They built one for their home system using Linux, so they could prevent denial of service attacks against their system when they're fragfesting. These guys love technology! If you told them they could have their blackberry surgically implanted in their cochlea they'd be lining up for the procedure tomorrow.
Over the next 20 years, the old-school sansabelt slack-wearing golf-playing Gartner-reading executives are going to be retiring out of the work force and the dot-com generation will be taking over. By then, I'll be past the point of being able to help you, but I truly believe that you'll find security is an easier sell going forward. Tell the new generation of executives, "hey, don't be stupid about this." Remember, they grew up with 10 character passwords (with 3 non alphanumerics), Nigerian banking scams, spam, malware, and botnets. They'll listen to you and you won't have to talk to them using little bitty words.