It’s not only the most famous line from the movie A Field of Dreams, but also the classic product management mantra: “if we build it, they will come.”
The announcement of the creation of Simply Secure – “a new organization focused on making open source security tools simpler and easier for people to use” – is an interesting attempt to change the forces that have up to now been slowing or blocking the adoption of security in consumer-facing devices and applications.
The premise behind Simply Secure seems to be that it’s not that the necessary security technologies don’t exist … they do … it’s that “they’re inconvenient, or too confusing for the average person to operate.”
And the solution to this problem, apparently, is that we just need to get the right collection of smart people (specifically, not only people who understand security, but also people who understand user interaction and consumer design) to work together on implementing consumer-facing devices and applications that are simple enough that regular Joes and Janes will be more likely to adopt them. In other words, if we build it and dumb it down, they will come.
A classic way that people have traditionally thought about these matters is that there is always a trade-off between security, productivity and convenience, and total cost. For example, stronger security might be less convenient or cost more than a less secure alternative. An emphasis on convenience might require the willingness to accept a lower level of security, and maybe to accept a higher cost as a result of breaches. And so on.
The folks that are behind the Simply Secure initiative seem to believe that they can break the connections in this traditional trade-off – that is, that consumers can be enticed to adopt stronger security simply by making it easier and more convenient to use. At the same time, although they really don’t call attention to this point, they also seem to be addressing one very important part of the cost issue – no, not the cost to the consumers, but the cost to the implementers. Both are important.
In the specific example of consumer authentication, I wrote about my perspectives on the flurry of consumer-oriented options for stronger authentication (see Two-Factor Authentication: What a Long, Strange Trip It’s Been), and also about my observations on the typical evolution of multi-vendor alliances (see Here, FIDO! If We Build Stronger Authentication, Will Consumers Come?).
My initial take on Simply Secure is similar: this is very good to see, and I’m encouraged when smart people are willing to put their time and effort where their ideas are, and try to effect a positive change. At the same time, I’d advise caution against the irrational exuberance that tends to build around these initiatives when they are first launched. Experience shows that any material impact will probably be the result of a sustained effort over a long period of time.
As an ironic postscript: on the day after its launch, visitors to the web site for Simply Secure are greeted with this all-too-familiar message:
“There is a problem with this website’s security certificate. The security certificate presented by this website was issued for a different website’s address. Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website. Recommended: Click here to close this webpage. Not recommended: Continue to this website.”
Really, this just proves the point that they might say they’re trying to change the forces related to consumers, but they’re really changing the forces related to developers. It seems pretty clear that they should use some of their big brains for security and design on their own web site.
For more on the challenges of security, read the Aberdeen report Managed Security Services: When It’s Time to Stop Going IT Alone