THE BLOG

Thinking About Security: Security by Numbers

04/03/2014 15:19 GMT | Updated 04/05/2014 10:59 BST

This week sees one of the largest trade shows in the IT security industry: the RSA Conference in San Francisco. At the conference where "The World Talks Security", the theme is all about conversation: 25,000 professionals sharing the latest improvements in information security.

But as headlines roll in this week about more huge password breaches, unwitting people being caught up in so-called ransomware and dodgy apps that steal your money, are we sure that we're really talking about security in the right way? And that's before the big headline-grabbers of Snowdon and the Apple fail fail bug.

Of course I'm delighted that we're talking about it at all: over the past few years computer security has emerged from the shadows of academia and government to be an area of regular public and legal discourse. Now that we live so much of our lives online the issues have been thrust into the limelight. But how many of you feel truly informed about the issues or empowered to do something about them? Do you want to be?

If you do want be informed then there are 2 obvious places to go: mainstream news media and Google search. So I tried a search for "computer security" (and a handful of variations) and I'm sure you can imagine what I got: lots of links to companies trying to sell you something to make all the monsters under your metaphorical bed go away.

So much for search. What about news? Do I even need to say this? News is news; it has to be big and spectacular. By definition news isn't about the everyday mundane life of a digital citizen. So we get excellent (and not-so-excellent) reporting on the government snooping allegations and the large commercial failures but that doesn't help the everyday smartphone user or silver surfer better understand their personal world. The government can get you if they want, that's for sure. But I'm unconvinced that they're using their incredibly expensive sophisticated techniques to steal your credit card data or TXT your money away. As an individual you are more usually facing the opportunist thief, not a SWAT team, and that's where we need to do better at reporting and discussing issues.

We all live multiple lives - as private individuals, national citizens, and corporate employees - and all those lives need to develop the same intuitive sense of security in the digital world as we already have in the physical world. Somehow we all know that wandering into a strange area at night is not a good idea, but few people get the same knot in their stomach when they approach a strange website. Buying antivirus and then forgetting about the problem doesn't make that any better.

Don't get me wrong. I'm certainly not going to trash the industry that feeds my family. Security companies in the main try to do a good job with whatever clever tool or technique they specialize in and does work tirelessly to limit the power of many of the threats out there - modern Google Android for example attempts to spot rogue premium rate SMSs. But my point with this is more to say that at a certain point such things are like all those exercise programmes that are advertised on late night TV commercials: they can do amazing things, but only if you understand what they're doing and put in the extra effort.

If we as a society are going to be ready for pervasive wearable recording technology, Internet of everything and shared online medical records then in the future when The World Talks Security the conversation can't be confined to just 25,000 geeks in California...