I’ve been asked repeatedly why security is so bad. For years I’ve just ignored the question, figuring it was pretty obvious to anyone who spent more than a few seconds observing IT. However, I’ve come to the conclusion that it’s not obvious. Most people don’t get why IT security is hard and getting harder and why we’ll never truly have IT security to the point where we don’t have to worry about it. Much of the problem actually stems from the fact IT security is pretty much in the same place it was back in the 70s and 80s. It’s stagnant. This isn’t a problem with the folks in IT security but rather a sad indictment of IT itself. It’s been stagnant in the 70s and 80s, not much has changed. And therein lies the problem. But why do I say that it’s the same as the 70s and 80s? Because no one is attacking the real problem: the actual IT infrastructure we have. We are still using the same technologies invented back in the 70s and 80s (sometimes earlier!) and attempting to interconnect said technologies in ways they were never meant to be connected. This has meant hacking and
