When a business outsources its technology infrastructure to a services company, the businesss executives need to have a high level of trust in the outsourcing provider. When the services company is handling the security infrastructure of a business, the required level of trust is at its highest. Companies must trust, above all, that the provider has integrity, that it bases its decisions and actions solely on technological considerations, and that it is not a tool of influential industry players.
Thus, its our view that @Stake officials acted unwisely in firing the companys chief technology officer, Dan Geer, a highly respected security researcher with 30 years experience in the field. The firing took place one day after a paper that Geer co-authored with several other prominent security experts was published. The paper finds fault in the excessive use of a single product family—the scientific term is monoculture—and blames it for the recent spike in security problems. In the case of the IT industry, the single product family is that of Microsoft.
A statement that a monoculture is vulnerable to attack is hardly controversial. Bruce Schneier, one of the papers co-authors, told eWEEK security reporter Dennis Fisher that researchers have been saying this for a decade. In addition, Geer was clear the positions were his, not @Stakes. But Geer was fired right after the paper was published. Since Microsoft is a big customer of @Stake, it does not take a fertile imagination to guess that @Stake took action to please Microsoft.
Companies take all kinds of actions to appease big clients or to maintain good relations with key industry partners. But while this may be business as usual for many companies, security companies and their customers would be better served by a higher standard. Customers need to know that actions are being taken for sound technological reasons, based on what works and what doesnt, with the customer, above all, in mind.
Unfortunately for @Stake, customers may now wonder if its consultants make decisions based on the influence of @Stakes partners and clients or based on objective judgments. If an @Stake representative says its OK to use a certain system in a specific configuration, is that statement based on technological honesty, or is it because the product is an important one for an @Stake client?
Whether or not doubts are justified, once a doubt appears, companies will wonder if they might be better off with another security company that has more clearly demonstrated its integrity in the face of industry influence.
If patients suspect that a doctor is prescribing medication not because patients need it but to maintain a good relationship with a drug company, that doctors practice would justifiably suffer. In IT security, the same principle should apply: The burden of proof is on those whose livelihood depends on the trust of others.
Send your comments to [email protected].