We've all heard the story when we were kids about The Boy Who Cried Wolf. A bored shepherd boy who keeps calling in help without actually needing it eventually encounters a real danger - a wolf.
The problem is, by the time the real threat arrives the shepherd boy has called in his support so many times meaninglessly, they won't come when he really needs them.
I can't help but remind myself of this fable when I read the news feeds I get on all the various data breaches we're being deluged with right now in the media.
Enterprise Security managers and corporate CISOs/CIOs have been slowly drowning in data breach news across the various media outlets, and in their inboxes.
Everyone is getting breached, from the "hack heard 'round the world at RSA", the mass-injection of hundreds of thousands of websites, to every other type of breach you can think of -and this is just in the online world.
While I'm confident that some good is being done here with phishing warnings gracing the cover of the USA Today Money section I can't help but wonder if we're being de-sensitized to all the carnage?
As corporate leaders become de-sensitized security managers are seeing an increasingly shrinking window to make security "top of the list" for spending and improvements - with Application Security being a hot topic all the way around.
I see security managers running around their organizations with their hair on fire, waving their hands that they need large amounts of capital for standing of App Sec tools and hiring of new resources (or at least consultants).
I see companies throwing large amounts of money at the problem of secure software and I'm fairly confident that for a good percentage of these efforts this isn't moving the needle in a positive direction.
I've had a good many discussions with many of you already - money and technology alone won't bring us secure software or applications. Many times the idea of spending a large chunk of money on tools alone sounds appealing because someone selling you something says that you should - but I'd like to urge caution.
Without having a solid foundation and business case for software security assurance, it's going to be a bumpy ride to an unknown location.
We often say that "security is a journey, not a destination"... so if you've seen the data breaches and are worried you'll be next spending large chunks of money or effort without first setting your course may be the quickest path to disaster... and a new job.
Ships don't just sail off into the sunrise without first having a course and strategy - your SSA program should be nothing less. Think before you spend your company's hard-kept capital... and make sure that the expenditure is can be measured against company goals and your security trajectory.
I'll be the first to tell you that sometimes the right thing to do is to spend nothing on technolog ... and simply develop process and understand the problem better.
Before this post gets too long and preach-y I'll wrap it up, but will urge you once more to take caution when reading the media and joining in the chicken little "the sky is falling" approach. Much like with everything else, slow & steady wins the race.
Cross-posted from Following the White Rabbit