We Don't Understand Why
I say that "we"1 don't understand why security continues to fail because there are so many people saying that they have the answer. To me this means that
- We have many things wrong with our networks.
- We don't understand what's really wrong.
- Both.
I'm one of those people who believe that the answer is really closer to the last bullet than either of the first two. The fact is that there are so many things that are broken we haven't taken the time to figure out what the real problem is. We spend our days trying to keep the barbarians from the gates, so we don't have the time to really craft a reliable model of our security.
Various enclaves of thought bring up good reasons for our failure, such as we don't measure enough things, but it boils down to the fact that there are lots of broken bits and no way to replicate a successful model.
In many ways, our world is like the world of the theoretical physicist—they're trying to make sense out of a science that they can't see. There are many theories, but little empirical evidence to back them up. The most fleeting of these is the unification of the three forces into a grand definition of the universe. They keep hammering away at it by devising experiments to prove some minute aspect of their theories. Each time, they get one more tiny piece of evidence that brings them closer to the truth. I'm sure that one day they will succeed in completing the grand model of the universe, but we don't have that kind of time to wait for a security solution.