The future of security lies in the hands of vendors, driving better functionality for all users.
Speaking to Infosecurity at Infosecurity Europe, Imperva CTO Amichai Shulman said from a new threat detection technology, there is ‘great technology out there for every threat now’ and while it doesn’t mean that if you deploy everything you will be protected, we do have technology for realistic, current threats.
“What’s missing is whether pure technology can scale down, as you see enterprises for the past few years who bought huge numbers of security solutions to protect and fight threats,” he said. “You see them with 60 or 70 solutions, building them on top of each other and they protect a little bit of their file server, or their database, or their applications or it is protecting what they don’t know, and they really need to get a grip on what their real posture is and how to start extending the deployment of all those solutions if they need them all.”
Shulman claimed that there is a real challenge for security vendors and organizations to scale down their technologies to smaller businesses, as the problem is not threats we don’t how to detect, but he said that the question is how to organizations improve their security posture using existing products. “They are trying to do automated incident response or automated risk management, but it is about how we need to work on solutions and scaling them down,” he said. “Every application that goes up needs to have the web application firewall as enterprises and vendors don’t find a way to work together.”
Shulman said companies go into a DevOps mode of integration of components, and we need to get security into that, and there is a move there in introducing APIs but he believed that more will be needed in integration and the testing phase. “We really need to integrate in terms of configuration, as application and operation people provide the platform for security, but it comes up empty. People will still be held responsible for that, but programmers will never be security people.”
He said that we should stop trying to fix people, because while he hates patching software, “it’s easier than patching people!”
“Measuring programmers is easy as you can count the lines of code they have written per day, and if that is the case then who cares about security?” He concluded by saying that in the past five years there has been a shift in the role of the CISO where they have a ‘seat at the table’, but he believes there will be a future scenario where things improve, but the security vendors need to lead on that.