When I was in grad school, some time ago, my office mate showed me a cartoon of two businessmen - one American and one Japanese. The American was big and fleshy with a cigar, while the Japanese businessman was slender, stylish and alert. The American basically asked "Why are you guys doing so much better than us?". The Japanese businessman is shown extending his fingers and counting off as he says "Your managers are greedy, your workers are lazy, and ...". But before he can finish even just the most obvious reasons, the American interrupts impatiently and says "I know, I know! But what's the trick?"
Marcus Ranum expressed a similar sentiment during a recent interview when he said that IT people will practically do anything to make their network secure except design it correctly. He compared this perverseness to people who will do anything to lose weight except diet and excercise. What's the trick? No tricks.
And last month, John Pescatore of Gartner reiterated his Security 3.0 position that prevention is better than cure, and that we should have a strategy for fixing bugs at source. I take his recommendation, which could easily be made 10 or 15 years ago, as a statement that security professionals need to return to the basics. This will not be particularly useful news for "what's-the-trick?" IT managers, but by now even they must realise that their hats are rabbitless and that their sleeves are aceless. What's the trick? No tricks.