Security Is A Useless Controls Problem - by Jonathan Price
Why useless bad for the industry, advising where to go from here, and tease a future series of blogs diving into specific common, useless controls in depth
A resource that I (and many others, us security bloggers are all very original) advise aspiring security minds to do to learn security is to go on the Security StackExchange and read a bunch of the top questions and answers.
If you carry out this sage advice, you'll come across Tom Leek, the highest karma'ed answerer on the InfoSec exchange. He has a great way of explaining things. My favorite answer he ever gave responds to a query as to why so many applications still had character length restrictions (this was some years ago), typically eight characters, on passwords:
I love this answer. 1 The internet is indeed full of chimpanzees. Worse, this isn't just the lowly, uneducated masses; our security ecosystem is very much full of chimps. Our chimp behaviors are similar to the original DES issue above: we tend to invest in useless 2 controls that don’t make sense, usually impacting operational effectiveness.
This is a huge problem for the security industry: I’d argue at least half of our efforts (or at least our budgets) go towards controls of minimal to non-existent value. I'd like to go over the implications of this; the next several (and probably many more a year until I retire or die) will be to understand the why for common, useless security controls.
