Q&A: Enterprise threats and compliance

John Viega is the CTO, Software-as-a-Service, at McAfee. John is author of many security books and is responsible for numerous software security tools and is the original author of Mailman, the GNU mailing list manager. In this interview, he discusses enterprise threats, compliance and his recent books.

With threats evolving at a breakneck pace and the underground working on a seemingly endless budget, what are the biggest challenges security professionals face when trying to protect their organizations? What should they especially be on the lookout for?
Frankly, the biggest challenges for IT security administrators are on the business side, and less in dealing with the bad guys. For example, it’s a huge challenge to get most employees to follow security policies, or even be self-conscious about security risks. And, it’s often difficult to get management to take security considerations as seriously as most IT security administrators would like.

Lately it’s been all about compliance but in your opinion, how important is security awareness in the overall security architecture? Can organizations do more than show cartoons and put up posters?
Awareness programs will never work very well. Even if you give (non-security) people classroom training, they are likely to forget or ignore what they’ve learned incredibly quickly. If security is important to your company, then you need to make sure to have the right technologies to enforce your policies, because most people are going to ignore them, because they have their day-to-day job first and foremost on their minds.

Some advocate compliance while others blame it for many of the problems having an impact on the insecurities of today’s organizations. What’s your take on the good and bad sides of compliance?
Compliance can cost a lot of money and waste a lot of time without providing any real security. On the flip side, it is tough to get companies to spend money on security they don’t have to spend. As a result, the security you get due to compliance is often better than what you would get otherwise. lus, compliance is important for providing corporate accountability… it sets the bar, and we can hold companies responsible when they can’t jump the bar. It’s too bad that the bar has to be so low. But, industry has to balance security concerns with corporations’ drive to be profitable.

You’ve written several successful books. Out of all of your writing ideas, how do you decide which ones to develop further?
Generally, I don’t go looking for books to write. There’s usually a topic I care a lot about, where there’s a huge need for the book. That was certainly true with my first book, “Building Secure Software”. At the time, there were no books at all on the topic. With my newest book, “Myths of Security”, I felt that most of the security industry was misguided and a little too self-absorbed, and didn’t really see anyone trying to point out the flaws and suggest how we might fix them.

How long did it take you to write “The Myths of Security” and “Beautiful Security”? What was it like?
I didn’t write a single word of “Beautiful Security“, so that one was quick 🙂 Instead, I edited it. Particularly, I found most of the contributors, helped guide their topic choices, and reviewed what they wrote. Since so many people contributed to the book, most of the work was done in just a few months.

As for “Myths of Security“, I started doing some blogging on the O’Reilly network in September of 2008. The editors there liked what I was writing, and the response it was getting, and asked me to do the book instead of the blogging. I did a few essays a week, and was done with the writing in February or March. There are about 50 essays in the book, and each one probably took me, on average, three hours to write.

What kind of threat evolution do you expect in the next five years? What should we be worried about?
Two big trends will continue. First, threats are going to continue to get more stealthy. The bad guys want to make money, and getting noticed is bad for business. We’ll continue to see a rise in bad guys leaving behind botnet software, and then doing things to make money that you won’t notice. Of course, there will still be some in-your-face frauds, like fake anti-virus products that try to get you to buy them, even though they don’t do anything.

Second, bad guys are going to be looking for more money, and it eventually will be cheaper to target other platforms. Particularly, I expect to see more OS X malware. There’s some chance we’ll see more mobile phone malware, but I think it’s going to be a while before bad guys can make it worth the effort, since it’s generally really tough to put malware on an phone that is both effective and stealthy.