Last week, when Apple hired David Rice as the new Director of Global Security interest in this question once again was renewed. David Rice is very well educated and widely known industry expert. He graduated from the U.S Navel Academy with a degree in Information Warfare. Aside: This is really cool stuff that we on the private side don’t get the opportunity to do or at least are not supposed to do. He also served in the Navy and worked at the National Security Agency (NSA). This guy seems to know his stuff and is probably best known for his book Geekonomics: The Real Cost of Insecure Software. Many in our industry have commented that his hire is just Apple’s way to get better position in the government space for additional revenue. I am not convinced that his hire was calculated for that reason. Maybe Apple is realizing that secure code and good security are necessary in this market.

Mr. Rice and many others have fought for better code which is what we all desire. Many with that position have gone further by advocating that software companies should be sued and held liable for the cost of insecure code. Some even believe that the Federal government should regulate and penalize these offenders. This position makes me think back to the basis of our free market system. Consumers, when educated about the choices, will select the best good or service that meets their needs or desires. Unfortunately, this model assumes several things are in place. One of the biggest assumptions is a free and open market with many choices. Today, with a very small number of choices for the software we need, I don’t believe this is in place. Maybe, if the government has a role in this model, it is to foster an environment where more competition can enter the market to make our options better. Second, the buyer will make a well educated and “selfish” decision to maximize his or her own self-interest. While I don’t think our culture has a problem with the “selfish” part of this equation, consumers don’t always make the best-educated and researched decision. I think many times IT consumers, whether corporate or individual, just follow the pack. How many times have your heard “You don’t get fired for buying Company Y”. Apple should be very pleased that they made such a hire as David Rice and I hope that he can make a positive impact on that organization. However, my greater hope is that we, as a buying community, will force software companies to improve their products through market pressure.

By:  Thomas Lewis, CISSP, CISA