The Myths of Security: What the Computer Security Industry Doesn't Want You to Know
An IT security professional gives you the inside scoop on an industry that puts security before usability and cost.
** The Myths of Security: What the Computer Security Industry Doesn’t Want You to Know. By John Viega; published by O’Reilly Media, www.oreilly.com (Web); 260 pages; $29.99.
Those of us who aren’t tech professionals are frequently confused by the concepts of IT security and highly uncertain about the severity of threats to which we are exposed. We spend considerable amounts of time and money to protect our computers and data, then just when we feel somewhat secure, we invariably learn that some new threat has emerged and new software patches, updated programs, or other efforts are required. It never ends and we are never quite sure we can breathe easily.
The Myths of Security: What the Computer Security Industry Doesn’t Want You to Know is a welcome book providing considerable insight into the computer security industry as seen by one of its executives: John Viega, a former chief security architect at McAfee. Easy-to-read, the book frankly discusses the state of computer security products at a level the average user can understand. Anyone using a computer will find the book both provocative and interesting, and reading it will help them make more informed choices as a consumer.
Viega cites the disconnect between “geeks” in the industry and consumers for some of the problems with security. For example, “[T]here is still a massive amount of dysfunction in the industry,” Viega writes. “Security geeks care about security. They don’t worry about usability, and they don’t worry about cost....”
He seems also to suggest that we are wasting our money by investing in products intended to provide security, noting that when consumers purchase security, “it’s not always clear that they’re better off….”
Reading The Myths of Security is a useful exercise, but a disturbing one. And Viega might be seen as complicit in the industry’s failings, since he worked for McAfee. Make what you will of this, but if you have a stake in IT risk management, read the book.
Reviewer: Mayer Nudell, CSC, is an independent consultant on crisis management, contingency planning, travel security, and related issues. He is an adjunct professor at Webster University and a member of ASIS International.