Apple has made tremendous investments in security, but it's completely restricted to Mac OS and iOS, and even so, its secretive culture means no one really knows exactly what the company does. Technology companies have carved out their own niches, but no all-encompassing leader is filling the vacuum Microsoft and Trustworthy Computing left behind.
Today, no one is setting the bar for security in the same way.
The company led by example, showing other organizations how to integrate security in the software development lifecycle, establishing best practices in enterprise security, and working with partners on how to elevate security for everyone - not only internally. With Trustworthy Computing, Microsoft developed a new security-focused mindset and improved availability and security models. It's a stark change from when Microsoft launched Trustworthy Computing back in 2002, when then-chairman Bill Gates wrote in the companywide memo, "We must lead the industry to a whole new level of Trustworthiness in computing." Microsoft rationalized the shutdown at the time, saying security needed to become part of each product team, instead of maintaining an overarching domain. Microsoft is physically at RSA Conference - as a "diamond" sponsor, as an exhibitor on the show floor, and on stage calling for a Geneva Convention for cyberwar - but ever since the company axed its Trustworthy Computing Group in 2014, it has practically disappeared from the security conversation.
That leads to the second big problem facing the security industry: Where is the leader to set the agenda for solving security challenges and to develop methodologies and technologies that addresses the problems? Where is Microsoft? It's easier to stay in the bubble, where everyone agrees with each other in their smug superiority, rather than stepping out into a new environment, breaking down the walls, and working together with nonsecurity professionals to actually make a difference. Worse, it seems like security wants to stay separate. Security still lives in a silo, walled off from the rest of IT and business. It raises the question of exactly who these companies are selling to if they aren't talking to developers. To me, it's astounding that none of the usual experts who rail about software vulnerabilities and application security made their way to DeveloperWeek. Veracode also had two workshops at DeveloperWeek on how the company approaches devsecops (the integration of devops and security). At the latter conference, I could find only one security-related talk on the schedule: Pete Chestna, Veracode's director of developer engagement, talked about how security was the next opportunity for developers. Ĭase in point: Last week, when I was at the RSA Conference in San Francisco, the DeveloperWeek conference was underway nearby. In fact, security professionals fail to collaborate because they're too busy pointing out all the things everyone else is doing wrong.
Ask a security professional about infosec challenges, and you'll get an earful of complaints about everyone else: Users click on bad links and open attachments, developers release buggy code, IT lags in applying software patches, the C-suite doesn't understand security priorities, and so forth.īut the truth is IT is figuring out how to work with developers, and today, many enterprises are starting to take user training seriously.