RSA Conference 2014: Organizations Spending too Much on Security Technology

All rights reserved by RSA Conference
All rights reserved by RSA Conference

That was the rather surprising claim from Art Gilliland, senior VP and GM of Enterprise Security Products at HP, during his keynote address at the RSA Conference in San Francisco. What he claimed, in short, is that information security professionals are focusing on deploying so much technology that they are involving themselves in an arms race against attackers that cannot be won.

Gilliland recently asked his son: Why do you always pick the bad guys? It was in reference to their ritual of playing video games together in reward for a successful week at school. Gilliland’s son replied: “Because they have way cooler weapons.”

The same could be said, he added, for attackers that information security professionals combat on a daily basis. “Our industry is still trying to match the bad guys weapon for weapon, tool for tool. But they still continue to win”, he told the audience. “Our adversaries are not about the objective, they are people acting in a marketplace, buying and selling tools from each other. It doesn’t make sense to match their weapons, because everyone is using the same tools.”

Attackers organize, specialize, and monetize, Gilliland observed, and this is the underground marketplace that security professionals face.

The market’s total spending on security technology is $46 billion dollars a year, according to Gilliland. “We are spending an enormous amount of money to protect ourselves…and we do a pretty good job. We block the vast majority of what comes against us, but the stats are against us when it comes to the number of breaches and what it costs.”

Work on the fundamentals in which a particular organization excels is a starting point, he said. According to HP’s research on where companies spend their security dollars, it found that 24% of organizations still failed to meet their own minimum security requirements.

Security departments do not exist to protect the enterprise from all risk, Gilliland asserted. Instead, they exist to protect the business that the enterprise engages in. To that end, he recommended prioritizing applications (and their security); changing your approach so that security departments do not try to protect everything; and effectively balancing speed and security.

“We are over-invested in products and technology, which is hard for the head of product technology to tell an audience”, Gilliland joked. “We are not investing enough in the people and processes you employ. We need to stop thinking about the technology that matches the adversary weapon for weapon. We need to invest in education the people who do this.”

What’s Hot on Infosecurity Magazine?