In the new year, rather than predicting the future Jack Danahy, co-founder and CTO of Barkly looks at the main things that need to be changed to make security a better place.
The headlines show that for the security industry, business as usual isn’t working. Global spending on IT security was set to surpass $75 billion in 2015, yet the latest count from the Identity Theft Resource Center (ITRC) reports over 700 data breaches and more than 176 million records exposed. To move forward in a healthier direction, I’ve identified five common approaches organizations should avoid for a more productive 2016.
5) Let’s Stop Blindly Spending More
As breaches increase, everybody is trying to understand what the right amount of security is. Vendors, writers and analysts insist that there is some baseline amount that should be spent on security, either as a percentage of revenue or fraction of an IT budget. Worse, human nature leads us to believe that more is better, so improving security means buying more. As with most simplistic proxies for complex discussions, this just isn’t true.
Productive security investment requires considering such questions as:
· How large is the organization, and what kinds of people are part of it?
· What skill set does the security team have?
· Are the users open to new security measures and is management willing to implement them?
· Has the business looked for ways to reduce the risk they are exposed to?
Most of these questions never get asked, resulting in expanding security budgets delivering less security and more disappointment.
What I’d like to see instead: Companies figuring out the right protection strategy, then re-evaluating their investments to get the protection they need and can consume.
4) Let’s Stop Playing the Weak-Link Card
Everybody knows that user mistakes are usually the first step in the chain of events that result in major breaches. When this happens, organizations remind us that security is only as strong as its weakest link, and the user is always identified as the most fragile element. By stopping there, and bypassing the real weaknesses, users take the hit for the vulnerabilities.
What I’d like to see instead: The “user weak link” excuse loses its get-out-of-jail free card status, and instead becomes a driver of new investment to make that weak link stronger.
3) Let’s Stop Giving Ourselves Rave Reviews for Security Success Theater
The best way to measure value of a security program is to clearly link investments to the absence of breaches. Actual protection means attacks have been stopped, but most security technologies (and teams) are uncomfortable offering this as their value proposition.
Instead, security has been redefined into things like monitoring, detection and remediation. This is the notion of “security success theater,” where the actors include the vendors, the security team, and the organization’s management. In this performance, security status is reported as more threats are identified, more machines and networks instrumented, and new technologies adopted. What stakeholders actually want to know about is what attacks were identified and stopped, or what systems were made secure.
When reports show progress against the wrong goals they provide a sense of false confidence, and reduce the pressure to improve strategy and practices.
What I’d like to see instead: Organizations become brave enough to recognize success only when there is a material reduction in critical weaknesses and decreases in successful attacks. This shift will be hard, but is better than investing in a mirage of better security.
2) Let’s Stop Speaking in Incomprehensible Security Gobbledygook
As a security guy who has been a vendor, advisor and buyer, I’ve watched the industry language become a mush of overused and overloaded terms. Some just don’t make any sense (anyone trying to “protect” their “intrusions”?). Others have been construed to make them applicable to almost anywhere (behavioral analysis, endpoint/system protection, application security, oh my).
Part of the problem is that talking about “protection” could mean traffic monitoring, incident response, and threat notification. Don’t get me wrong — monitoring and response are vital, but lumping them together under the term “protection” is like saying hospitals are a form of protection against the flu.
Large enterprises with dedicated security organizations make sense of this, sorting through the gobbledygook and creating the right words to communicate their needs. For the 98,000 companies between $50M and $2B in revenue who may have just one person working on security, there is no time to become a subject matter expert, and there is little hope they will know what they are buying, or what they essentially need.
What I’d like to see instead: A return to simpler, more courageous language. Security teams can say, “We are investing in A, to protect B, reducing our risk of C because it will D.” Vendors can say, “Our product does X, protecting our customers against Y, which is visible by looking at Z.”
1) Let’s Drop the Unhelpful Security Superiority Complex
Breaches happen. Reasonable security people know breaches will continue happening, evidenced by the dominant cliché for the past 25 years, “No system is 100% secure.” Although this is the case, commentary usually starts with assigning blame before details are known about the attack. We all live in glass houses, yet we can’t resist throwing stones.
In cases of negligence, some of this makes sense. But when the organization may be under-skilled or understaffed, it would be more constructive to discuss the facts and turn our attention to applying lessons learned. Failure can be an effective teacher, but even more so if we know there is a supportive community waiting for us on the other side.
What I’d like to see instead: Security become more empowering than investigative or auditing. Our job should be understanding how to improve the system, without castigating the organization for not knowing as much as we do. Everyone has differing pressures and priorities, and we can only advance our impact by making the interaction more constructive.
The truth is the security industry has been resigned to these attitudes for too long. This year, let’s agree to step back and reconsider so we can chart a better, more effective course.