The former CISO of a large intelligence community agency once told me, “The number one challenge in IT Security is the carbon-based life form.” Needless to say, that comment has stuck with me as I read articles daily about hacks with their genesis found in credentials lifted from phishing schemes.
Given that background, I was asked recently if IT security awareness and cynical mistrust in engaging in confidential transactions online were generational. I believe the answer is absolutely. These generational differences affect IT security broadly and software security specifically.
Not to date myself terribly, but I remember the rise of the Automated Teller Machine (ATM). At that time, banking transactions required going through the drive through or – gasp – parking your car and physically entering the bank. Prosperous banks had an abundance of drive-through lanes, and in busy times such as paydays (no such thing as direct deposit), cars were three to six deep.
When the ATM was unveiled, it was an object of immediate distrust. At first, all you could do was remove cash and people fretted over what to do if the machine provided less money than requested. We were also introduced to the PIN and told to treat our number as a state secret. There were additional physical safety concerns with extracting cash while others hovered around the ATM.
Eventually, the convenience factor wore away cynicism and mistrust. Then the banks upped the stakes by allowing deposits via ATM machines, and cynicism and mistrust re-emerged. After all, you were placing your hard-earned check into a machine. Even though you got a receipt, the confidence that the machine would properly process your check was low. However, that mistrust eroded over time.
As online transactions surfaced, my generation had to learn to trust yet again. This time we had things like seals on the bottom of a web page, providing us some vague assurance that all was well. The truth was that most had no idea what the seal meant, but it provided us some form of confidence to dive into the new world of disintermediation.
Why bring up the advent of the ATM and web site seals? To establish that my generation has seen digital transactions introduced from the ground floor, so we carried with us a predisposition toward mistrust. In contrast, millennials were born into digital trust. Digital transactions have been a part of their experience from the beginning, so they naturally engage in online activity. They share their lives openly on social media and being connected is in their DNA.
For example, when I see a commercial about locking a house through a mobile application my first thought is a sarcastic, “Oh sure, what could go wrong with that?” while a millennial likely thinks, “Cool!” I know I’m compromised a bit by being in the IT security industry, but other friends my age respond the same way. I want to know it’s secure, and would take the time to factor some form of validation that the application is secure and that there was some form of protection if my phone were lost or stolen.
For those companies selling to the younger demographics, connectivity is seen as a differentiator for their products. To feed the appetite for connectivity, businesses spin up websites at alarming rates, and continuous integration enables organizations to update commerce sites multiple times a day. When velocity and agility become the top priorities, security is sure to suffer, as security is viewed as diametrically opposed to those priorities. There is a widespread misconception that security slows down the processes we are feverishly trying to accelerate. The irony is that certain security technologies have been shown to actually increase productivity.
The problem is exacerbated when these applications are directed at a more trusting demographic. Personal and sensitive data is entered without considering the source, or where that data will eventually reside. How many people use a smart TV or thermostat without considering what is happening to the data collected by these devices? Peculiarities in a transaction that would raise the cynicism and mistrust of one generation are likely not noticed by others. My generation learned at the feet of the previous generation, which preached that anything that looks too good to be true normally is. Younger generations tend to click first and ask questions later, because they were born into digital trust.
If the biggest problem in IT security is the carbon-based life form, and if those life forms are becoming less mindful of security, and if development is making the risky decision to place speed over security, then we are heading for an unhappy convergence. At a time where application security testing should be more prominent, it is being pushed aside in the name of agility or through neglect.
Heavily regulated businesses don’t have the luxury of making that choice, and that is why they perennially lead the pack in the Building Security In Maturity Model (BSIMM) measurements of software security maturity. But there is another shifting of tectonic plates already under way. The Internet of Things (IoT) will result in billions of connected devices coming on line in the next ten years, and the associated software will be built by industries that traditionally have not emphasized software security. The target demographic for IoT devices will be those born into digital trust, drawn to the shiny IoT objects like moths to a flame.
So the generational divide in security will likely continue to grow as children are exposed to connected devices from before the time they can remember, and cynical and cautious old timers like me, who remember the rise of the ATM as some misty memory, move away from the middle of the bell curve