Why Security is Google's Achilles Heel -- Part IV

It is interesting that since I started this series spotlighting that security is and has been, for all practical and official purposes, a low corporate priority for Google, a Googler now publicly claims: "for Google, there is no higher priority than the safety and security of our users."

• This new public claim was made as part of a press release announcing that Google has joined the board of the National Cyber Security Alliance. 
• While I commend Google for joining the National Cyber Security Alliance, it is telling that none of the relevant official Google corporate links, indicate that security is a high priority for Google: check "Our Philosophy -- Ten Things," "Design Principles," or even "Google's Security Philosophy." 
• We will know when Google makes security a high priority when they actually walk the talk and when their official representation of their corporate priorities (in the main corporate links above) reflect that security has truly become a new higher priority for Google. 

This new claim and development presents a useful opportunity to evaluate Google's stated security philosophy.   

• First, nowhere in Google's Security Philosophy statement does it say anything remotely like: "for Google, there is no higher priority than the safety and security of our users."
  • Most tellingly,Google won't state that is has security responsibilities; it only says: "we feel we have a responsibility to protect your privacy and security." [bold added] 
    • As we know "feelings" are fluid emotions, a sentiments, attitudes or opinions -- not more solid beliefs, committments, obligations, or duties. 
• Second, it is telling that Google's stated philosophy is that security is "done best as a community."
  • Google then deftly distances itself from security responsibility by largely delegating responsibility for security back on to users by spending the rest of their section on security discussing how users can report security problems to them so they can then react to them.
  • Google's passive and reactive security philosophy appears very similar to its passive and reactive copyright and privacy philosophies, i.e.  Google  will try to be responsive if someone identifies a specific problem to them, rather than a more proactive prevention approach.

In closing, this last point underscores why security is such an Achilles heel for Google. Google's official security philosophy is to be reactive not proactive.

• An interesting juxtaposition here is that Google's reactive security philosophy is in stark contrast to President Obama's proactive cybersecurity philosophy laid out in his 5-29-09 cyber-security address:  "We will ensure that these networks are secure, trustworthy and resilient.  We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage."   

A reactive approach may have been enough to muddle by when Google was a start up, but not when Google is by far the most widely used Internet application in the world.

Part I: "Why security is Google's Achilles heel"

Part II: "Google values security much less than others do"

Part III: "Google: "security is part of our DNA" (Do Not Ask)