Something we have recently been thinking might be a helpful way to explain why security is in such bad shape despite the amount of money being spent on it, is to think of the security industry not as the “security industry” but as the “insecurity industry”. By that we mean that most of the security industry seems to not be focused not trying to make things secure, but on selling people on the idea that insecurity is very much the natural state of things, that you are under constant attack, and that while they can offer you the best security, you shouldn’t expect that the protection provide by that is actually all that effective.

As an example of that, take something from Wordfence recently, where they seem be describing a situation where some web hosts had failed at doing a basic of security for their service and allowed customers to access to other customers’ files. Not only is that a failure at a basic level for a web host, what they seem to be  describing is something that was huge issue with web hosts a number of years ago, so there would be even less excuse for that still happening in 2018. To Wordfence though the situation was very different: [Read more]