Posted by Kevin on September 7, 2015.
Every year we spend tons more money on security, and every year there are dozens of new security companies offering shiny new technologies guaranteed to stop malware, plug breaches, defy surveillance, expose the not known unknown and pacify the malcontent. And yet, at the same time, each year we get bigger and badder breaches. Something doesn’t add up – it would seem that security as we know it isn’t working.
There are two common responses to this. The first was voiced by Amit Yoran at this year’s RSA:
We are living in the Dark Ages of security. We cling to outmoded world views and rely on tools and tactics from the past, and yet we are surprised to find ourselves living in an era of chaos and violence.
His answer would seem to be better use of newer, better, shinier technology to pull us out of the past. The problem is, where is this technology?
The second response is to suggest a return to the old methods – a deep manual gap analysis to locate our weaknesses in relation to the best available standards (such as 27001 and NIST and PCI). The problem here is that we still end up trying to plug those gaps with the very same technology that isn’t working.
There is a third response. This suggests the problem is twofold: it is partly the money men that control western society, and partly the mismanagement of young talent. One of the strongest proponents of this idea is Ilia Kolochenko, founder and CEO of High-Tech Bridge.
First let’s follow the money. We’ve had a serious economic slowdown over the last few years. In such times of economic crisis money traditionally migrates from business to gold – but now there is an alternative: security. Security spend has defied economics; few security firms have folded and most have grown. Security has become a safe bet for investment. Just look at the prices paid, the investments made, and the valuations proposed. $1 billion for Mandiant? Really? And payed by a company that has never turned a profit? That cannot be right.
With so much money available to security firms, the response has been new companies with no new thinking. As Kolochenko puts it,
Many cybersecurity start-ups consider that reinventing a security scanner with a different GUI, report format or pricing model is enough to compete. The problems is that we just don’t need one more vulnerability scanner – we already have enough. We need a new concept, a new innovative approach to security testing. And very few companies have visionaries capable of creating such concepts. Nevertheless, they manage to raise funds from desperate investors trying their luck in the cybersecurity marketplace.
New security companies are not started to solve security but solely to make money for the investors. They are awash with money but not quality. From the investors’ point of view, marketshare is all – it’s what forces a big company to buy out the small company and provide a quick ROI. Marketshare can be bought if you have enough money – and many of these new start-ups have more money than talent.
But is this because there is no talent? Of course not. Kolochenko again:
Are we sure that the problem we face is a lack of skills, and not in fact that there are too many barriers stopping talented young people from developing countries applying their skills in developed countries? Smart graduates from developing countries may expect a very modest salary in their home countries, while emigration to developed countries is a pretty difficult, expensive and time-consuming process. Should we expect these skilled people to sit idly by, respecting the letter of international law that prevents them from experiencing a much better standard of living?
Of course not – they have in many cases adequate technical skill and tools to earn considerable sums as Black Hats, while evading detection…
So this is the last viewpoint, and to my mind the one most worth pursuing: the security problem persists because money men aren’t interested in security, just a quick return; while society effectively diverts talent from the light to the dark side. This is too difficult to attempt a solution. Instead we will continue to throw money at security and we will continue to get breached.