Thursday, March 09, 2006

A bizare suggestion

Business week suggests that Apple appoint a CSO in response to their latest security issues

Appointing a CSO is a pretty good idea for any F500 company. Apple has a lot of important data that it should be ensuring is kept secure, product plans, sales data, customer data. It is easy for a company to say that everyone puts security first but security is not the primary statistic used to evaluate executive performance, and if a statistic exists at all it is because a serious problem was discovered. There is no way to measure the number of security issues that an executive has created that have yet to be discovered.

Unless there is a single person with primary responsibility for putting security first security is going to suffer. A CSO/CISO reporting directly to the CEO or a division GM is an essential senior appointment for any major company.

But the job of a typical CSO has very little to do with platform security. There are some companies where the job of CSO includes responsibility for product security but there is a huge difference between getting the company through a SAS70 audit and running a research/development team responsible for platform security.

What Apple needs to do is to hire a some people who are not 100% invested in the notion that Unix is automatically secure to shake the development teams out of their complacency. Their situation is actually quite precarious, they made huge strides in security a decade ago, they were the first company to support encrypted email in the operating system. But they really have not done anything memorable since and they are rarely present on the standards circuit.

Apple now have millions of Internet connected users and users are the weakest link in any system.

No comments: