“Business technologists need to get serious about security, and start considering attacks against their software in a real way. That means getting security where it counts: in the applications and in the operating system. IT management needs to take drastic action and hold vendors responsible for even potential security problems. There is a tendency to whitewash these things or to put them on the back burner, since when security is not an emergency, it’s not a visible problem at all.”
This is an excellent analysis of how things have changed in IT security. We are so used to make IT departments responsible for security, yet we demand the freedom to use the web and other online services in every way possible.
We really need to re-think security in end user space. I agree completely that we need to hold vendors responsible – with US liabilty laws, I wonder why this hasn’t happened more already.
Until then, the only way to improve security is to educate users and recommend (rather: force) the use of programs that are proven to be more secure than others, like Firefox instead of IE and Thunderbird instead of Outlook (Express).
Making IT responsible alone will not help. We need to start working together to tackle this. And keep nagging the vendors and point fingers.