Dan Geer’s new articles Digital Affluence Is Making Us Less Secure, focuses on overabundance of security products, which makes the decision (/selection of the best product) hard — for normal computer user to CISO.
When, in the name of security, we “lock down” an operating system, we do so precisely so as to counter that surfeit of choice, by removing functions not in use, by reducing the choice set of what might be running. The reason that the Web browser is the principal entry point for malware is the number of choices that a browser offers up to whomever is at the other end.
But opposite of “so many products to choose from” is “monopoly” – MS, Google, (how about, Soup Nazi ). But, don’t take me wrong, as a security professional, I don’t support “overabundance” as each product needs to be tested before it can be used in company environment (i.e., more OS means, more testing, more accreditation — its like, approving Blackberry only to find out that management wants iPhone or deploying MS Exchange to read blogs and article about over increasing popularity of Google Apps…).
We can’t prove security products work, but we can prove that complexity matters, and that we are ourselves contributing to complexity by deploying too many security products. Like addled consumers facing 225 choices of toothpaste, we’re paralyzed. Every time we buy a new security product, we regret that the others we already have didn’t do the job and the paralyzing choice of whether this new product makes it possible for us to remove one or more of the old ones.
