Re: Quick Review: Cyberwar as a Confidence Game by Martin C. Libicki

[Michal Zalewski <lcamtuf () coredump cx>]

> I guess my real intent was to rebute Michal's statement that the blame
> should fall, partially at least, on the vendors. Vendors build what
> they can sell.

I don't blame vendors for selling products that the market needs...
but it's also difficult to deny the existence of a fairly strong
feedback loop: vendors often take part in creating new markets
(through PR activities and exec-targeted advertising), or have a say
in defining compliance frameworks that put an emphasis on commercial
and easily measurable efforts. This, in turn, affects the shape of
future IT departments and their needs.

Given that skilled security practitioners are in short supply and are
difficult to tell from so-so ones (existing certifications don't help
that much), I actually think that vendors have a more dominant role in
this process than any other coherent group could.

Now, of course, pinning the blame is not a particularly productive
pursuit. But in the end, partly because of such feedback loops, many
large organizations lack the technical expertise to understand what
determined attackers may attempt, and how to mitigate the threat.
That's not a new problem, it's just one that the industry ignored in
hopes it goes away; in this context, I'm not sure that the whole APT /
cyberwar meme will do more good than harm.

/mz
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave