Leadership, Software Development, Tech Industry, &c

Tech Giants: Please Make Security Usable

Another week, another round of high-profile tech announcements…  And security woes.  Apple announced its new Pay service, which may finally make digital payments mainstream.  It was, however, tainted by concerns arising from “Celebgate” and the presumed role iCloud security played in it.  Meanwhile, Google was busy explaining that the five million Gmail credentials recently published by Russian hackers hadn’t been obtained from their servers.  Tech giants have successfully transitioned us to a cloud-based digital lifestyle, but a lot of work remains to ensure security is actually usable and effective enough.

“Will It Be Secure, Tim?”

With Apple Pay, everything the company has shown so far points to a sophisticated, well thought-out system in terms of both user experience and security – an exceptional achievement, given these two quality attributes often find each other at odds.  Regardless, skepticism lingers: reporters asked Apple CEO Tim Cook as soon as the announcement event was over whether the potential security breaches around Celebgate might ever put Apple Pay at risk.  And everything points to similar concerns increasing over the coming years.

I’m not trying to pick on Apple here.  It’s an industry-wide issue.  Traditionally, it seems tech giants have seen security the same way HR departments see salaries: money is not a key motivator, the saying goes, but lack of it certainly is the greatest de-motivator.  The challenge then becomes paying people just enough that they won’t be bothered by it and focus on the job to the best of their skills – but not a cent more.   With security, people may flee a service if it even seems to be insecure, so the strategy has been to do just enough to make people feel secure, with most focus going to other aspects.

This strategy has brought us unprecedented ease of use and adoption of disruptive, innovative paradigms.  Whereas we had all sort of issues with dial-up connections, printers and new hardware back in the 90’s, the aughts have brought us social networking, media creation and sharing, the cannibalization of traditional telephony services, and an explosion in the adoption of richer communication options.  The key here is massive adoption: it’s not been geeks and IT professionals that have made Facetime, Dropbox, YouTube and many others daily staples of our digital lives; it’s truly been all of us.

The Return of Trustworthy Computing?

However, precisely  because the cloud has gone front and center, security can no longer play second fiddle.  We already know what a massive security meltdown looks like: Microsoft had one a little over a decade ago.

In the early aughts, as the Internet started to expand into everyday life, Microsoft increasingly became the target of bitter critic.  Its Windows operating systems, both clients and servers, were becoming infamous for the easiness with which they could be compromised with viruses, malware and other security exploits.  Since security is an architectural concern, this couldn’t be fixed by simply issuing a patch; instead, then-Chief Software Architect Bill Gates embarked the entire company in a quest to make Windows secure again.  Without pretending to imply that Windows is now perfectly secure, years of very hard technical, organizational and PR work under the “Trustworthy Computer” banner have helped Microsoft and its massive user base more or less regain trust and control over their platforms.

Time for Radical Change

With the cloud, the stakes are higher than ever.  Technically, it would seem we are well prepared: SSL has become prevalent, strong encryption is widely available, smartphones are pervasive enough to make two-factor authentication mainstream… Yet somehow it is not happening.  Most people are not using two-factor authentication.  Security breaches are becoming more common and more devastating.  Properly securing a typical computing setup is still more complicated and harder to validate than it should.  The substantial improvements to usability and ubiquity we’re seeing with other capabilities have not extended to security.  We need more companies considering actual, large-scale adoption of proven secure practices as a strategic goal on par with adoption, conversions and other cloud business KPIs.

While functionality and aesthetics are at an all-time high, easy-to-use, reliable security remains elusive – and this is a dangerous time bomb, ticking away, threatening an ever expanding segment of business and societal dealings, and the very livelihood of the contemporary tech giants.

Please, get on it, people.  All of you.  Now.