Recently, a high-profile security provider now owned by Google, Mandiant, had their Twitter account taken control by a hacker, while this should probably be a big deal, it isn’t all that surprising consider what Mandiant has become high-profile for. They are not known for making sure that companies’ systems are secure, but for coming in to investigate things after a breach. While they have gotten plenty of coverage for that for years that hasn’t led to security get noticeably better. That is part of larger issue, which is that the security industry doesn’t seem all that interested in security.

Another recent example of that came in response to testing we did to see if WordPress security plugins had protected against a serious vulnerability in another plugin. Someone in the security field told us that this wasn’t “useful”. When we further asked why they thought that, they responded in part that we hadn’t focused on the details of the vulnerability. Based on the rest of the conversation, it appeared that they seem to not understand that anyone would focus on anything other than vulnerabilities. That is obviously odd when it is the security industry, not the vulnerability industry. Stopping vulnerabilities from being exploited is obviously important for security.

Their other focus seems to tell the rest of the story, as they were saying our information isn’t useful for red teams. A red team is a group that tries to exploit systems. Ostensibly their goal is to help secure systems, so knowing if security solutions work would be useful. But making systems more secure is bad for their job prospects, as there would be less interest in their work if systems are generally secure. Also, the less secure systems are, the easier it is for them to show that they appear to be good at their job, hacking systems.

Having a security industry that isn’t all that interested in security hasn’t been bad for the industry. It obviously isn’t good for everybody else, as the constant stream of major security breaches shows.

Fixing the terrible state of security likely would require a combination of good journalism to shed light on the problems that need to be addressed and government action to address the problems, as the security industry doesn’t have an interest in taking care of those. As we noted last week, security journalism isn’t doing their part.