J003-Content-Everybody-hates-security_SQFor real estate professionals, the common mantra is location, location, location. For IT professionals, it’s security, security, security.

Computer users, ranging from barely-computer-literate grandmas to IT professionals, all want more of it. Businesses and individuals spend millions of dollars every year on security products and services such as firewalls, anti-virus and anti-malware software.

We want it, but we also hate it. In the corporate environment, users look for ways to circumvent the company’s security policies. Home users turn off default security features immediately after getting a new device or installing a new OS.  Even security professionals hate security. So why do we all harbor so much dislike for something we need so much?

This love/hate relationship stems from the very nature of security. It exists on a continuum, with absolute security at one end and absolute convenience at the other.

When you have more of one, you have less of the other. Lazy creatures that we human beings tend to be, we usually prefer convenience to security – that is, until we become the victims of a security breach. Then suddenly, security is our new best friend – again.

Nobody likes jumping through hoops, and that’s frequently what we have to do for the sake of security. Who among us has never forgotten a password or PIN, or left a smart card at home? All too frequently, we find ourselves locked out of our own accounts or unable to access the files that we need and are authorized to use.

We find ourselves blocked from a web site we need to visit or we don’t get an email message that we should have received because our security systems incorrectly identify them as dangerous (“false positives”).

Let’s face it: security is difficult to get right. Misconfigured firewalls, too-aggressive spam filters or anti-virus programs that conflict with our legitimate software programs can make security seem more like a constant source of frustration rather than a safety net.

Security makes for more work, both for administrators and for end-users. The latter have to keep up with dozens of different passwords for different purposes, then just about the time you have them all memorized, the security system tells you it’s time to change your password, again.

Oh, and it has to be at least 12 characters. Oh, and it must be a mix of upper and lower case alpha and numeric characters with at least one symbol. By the time you finally figure out a new password that the system will accept, it’s one that you’ll never remember, so what do you do? Write it down – thus negating the whole point of a secure password.

The problem with security is that many see it as ineffective. For instance, some web sites require that you answer “security questions” but the question choices are all things that someone could easily find out with a little research, such as your mother’s maiden name or where you went to elementary school. These will keep out the casual random hacker but not anyone who is specifically targeting you. As with the mandate to remove your shoes at the airport, people hate security measures that inconvenience them without providing any real protection (a.k.a. “security theater”).

But a little convenience isn’t the only thing that ends up being sacrificed on the altar of the security gods. Security is also the antithesis of performance. It makes sense that security mechanisms are bound to slow down your systems. Checking ACLs to make sure you have the correct permissions, encrypting and decrypting data, running malware scans on programs and files before opening them – all of these actions take up time and resources.

Security is also a demanding taskmaster. Because hackers and attackers are industrious, always coming up with new and better ways to infiltrate our networks and computers, always ferreting out previously unknown vulnerabilities in our operating systems, applications and protocols, we can’t just install a good security system and set it and forget it, as we might do with a home alarm system.

Instead, we have to be constantly installing new virus and malware definitions and new patches to fix the flaws in code that the bad guys can exploit. As renowned security expert and pundit Bruce Schneier said many years ago, security is a process, not a product – and that process is a never-ending one.

Finally, security is expensive. Chances are most users will buy at least a few security products – anti-virus programs, perhaps a personal firewall. Business organizations spend millions on security in the form of edge devices, perimeter networks (DMZs) to isolate Internet-facing computers from internal systems, security monitoring systems, smart card readers or biometric scanners, and on-staff IT security personnel and/or security consultants, not to mention security awareness training for employees. It adds up fast.

If you’re in your 20s or 30s, you probably grew up using computers and the Internet, and you grew up having to deal with computer security. If you’re part of the “old geek generation,” you can probably remember a time when you logged onto your x286 and dialed up your Internet provider without giving very much thought to security.  Of course, if you’re of a “certain age,” you probably also remember a time when we left our cars sitting on the street unlocked and didn’t even have a deadbolt on our front doors, too. But we live today in a different era, and security isn’t an option; it’s a must.

Of course, as much as we hate security, we love what it does for us. Without it, we would experience frequent system crashes from malware, viruses and various attacks. We would often be unable to access the Internet at all, because of  denial of service attacks. We would be constantly at risk of having our credit card and bank account information, social security numbers and other identifiers stolen and used for identity theft or fraud. We wouldn’t be able to keep our sensitive data such as tax returns, brokerage statements, medical records, or personal journals/diaries on our computers without having them exposed to the world.

As high profile security breaches become more frequent, we can expect more and more security measures to be implemented by organizations in self-defense. What hardware and software vendors need to do is focus on ways to increase security that will be easy to deploy for admins and seamlessly integrated for users. To an extent, this is happening. More software development is following the “secure by design” philosophy and building in security from the ground up. That means fewer third party add-ons have to be installed and configured and maintained.

User education is another key. No matter how well your systems enforce password complexity requirements, they’re meaningless if users reveal those complex passwords to others either by carelessly writing them down or when tricked by social engineers. Making users fully understand the reasons behind the various security measures can go a long way toward getting them to take security more seriously.

Future technologies promise to make security much more palatable to admins and users, via advanced biometric authentication techniques, faster processing to ameliorate the performance hits, and “polymorphic” security that can change and adapt automatically in much the same way polymorphic malware mutates to avoid detection.

We’re a long way from that utopian secure future, though. In the meantime, it’s time for us to sit down and come to terms with security.

I know two business people who had built a successful business partnership together but dissolved it after a few years because of personality clashes. Both were brilliant guys with big egos and their differences of opinion led to unpleasantness. Apart, however, neither was nearly as successful and both were floundering. A mutual friend finally sat them down and said, “Look, you don’t have to like each other to work together.  You just have to accept each other and accept the fact that you need each other.” Now they’re back together and doing well. The difference is that they’re no longer trying to be best friends just because they’re business partners.

Security might not ever be your best friend, and you don’t have to like it. What you have to do is learn to live with it, because it’s always going to be a part of computing. We need to stop looking for ways around it, stop complaining about it, acknowledge its importance, and get on with business.