Ask not what the security industry can do for you, but what you can do for the security industry
I read an article in Forbes this week by David Lowenstein the CEO and co-founder of Federated Networks and Risu Na the CTO and co-founder of Federated Networks. The article states that there is a growing crisis of confidence in computer security.
In fact the authors are much more harsh than that. They say “we would argue that cyber security is not only broken, the term itself is dangerously close to becoming an oxymoron, if it hasn’t been labeled so already.” They chide us that despite spending something like $40 billion on security, “the capabilities of current solutions to detect malware have decreased to levels low enough to wonder seriously whether they provide any meaningful benefit.”
Them there is fighting words!
Lowenstein and Na point out these potential reasons for this utter failure of security and then show why each of them is not really an excuse or valid:
- Lack of Awareness: We would like to believe that this is due to lack of awareness. This is highly unlikely as broad media coverage has ensured that most everyone has some understanding of the magnitude of the challenges and issues facing cyber security. Although the media had sometimes been criticized for being overzealous in their reporting, the high level of public awareness of cyber insecurity cannot be disputed. As such, lack of problem recognition would appear to not be a contributing factor to the challenges at hand. In fact, the growing acknowledgement that existing solutions, methods and directions are not working creates an opportunity for discussion, which is a step in the right direction. What is less clear of course is what exactly to do.
- Lack of Resources: Given the legion of researchers in government, academia and industry, as well as the monumental financial investments committed to solving this problem, it would be difficult to imagine that lack of resources is a likely hindrance to progress.
- Lack of Adoption: The sheer size of the cyber security industry, by some estimates upwards of $40 billion globally, would indicate that significant solution adoption has already occurred. Of course, even greater adoption rates and spending would have some benefit and thus merit, but given the significance of current expenditures, we can garner more leverage by redeploying expenditures to solution sets of greater efficacy.
- Lack of Ideas: At face value, this explanation appears to have merit, as software security seems to be a domain suffering from both a dearth of deep thinkers and original idea creators and a dramatically out of proportion cadre of information ‘relayers’ all too eager to create the security sound bite of the day. Although clearly anecdotal, one of the recurring observational themes at the RSA 2011 conference was that there were a lot of companies and sessions, but not many that were new, meaningful, or radically innovative.
- Too Many Products: The signal-to-noise ratio of cyber security solutions is disturbingly low. For certain, cyber security is a domain particularly prone to the use of jargon, even for an IT discipline. But the more salient driver is the combination of a lack of real product differentiation as too many products are chasing too few ideas, as well as the fact that many truly new ideas are often so granular and specific that it’s difficult to understand how they offer much value or coherently fit within a deeper solution stack, making marketing messaging “noise” a much more understandable phenomenon.
OK, each of these points has some validity though. You can look at each of these and find ample evidence to justify their inclusion, as well as the reasons the authors give as to why they are somewhat of a red herring. But let me put forth another reason:
People don’t want real security. If they did, they would put the resources and efforts necessary into having it.
The fact is that people want security that is good enough. Good enough to comply with the regulations they are subject to. Good enough to meet the minimum requirements that they need to meet. Most organizations have set the bar so damn low regarding security that it is no wonder that we see the insecurity we do. Have you ever seen a security admin say I have to much budget? To many resources?
Instead most are in search of the mythical security magic bullet. The reasonably priced, minimal resource intensive solution that will put a cloak of invisibility over their IT assets. Maybe if they weren’t wishing and hoping and praying so hard for the magic bullet, they would be less prone to believe snake oil selling security vendors who prey on their unrealistic desires.
Yes the security industry is far from perfect. But I don’t subscribe to the “there is nothing new out there. We suffer from a lack of new ideas”. There are plenty of new ideas and technology out there. A lot of it in search of support.
I do not believe that the bad guys are harder working or smarter than the leading lights of the security industry. I do think that if it is important enough we can close down many of the holes that exist today. However, technology alone will never be enough. We need a lot more security awareness at all levels of organizations.
Security will become more secure when organizations are willing to do what is necessary for them to make it so. Not one second before.
So to paraphrase Jack Kennedy, maybe instead of asking what can the security industry do for you, we should ask, what can you do for the security industry!