twitter facebook rss

Money can’t buy you love or security

Posted by on September 7, 2015.

Every year we spend tons more money on security, and every year there are dozens of new security companies offering shiny new technologies guaranteed to stop malware, plug breaches, defy surveillance, expose the not known unknown and pacify the malcontent. And yet, at the same time, each year we get bigger and badder breaches. Something doesn’t add up – it would seem that security as we know it isn’t working.

There are two common responses to this. The first was voiced by Amit Yoran at this year’s RSA:

We are living in the Dark Ages of security. We cling to outmoded world views and rely on tools and tactics from the past, and yet we are surprised to find ourselves living in an era of chaos and violence.

amit_yoran_260_160His answer would seem to be better use of newer, better, shinier technology to pull us out of the past. The problem is, where is this technology?

The second response is to suggest a return to the old methods – a deep manual gap analysis to locate our weaknesses in relation to the best available standards (such as 27001 and NIST and PCI). The problem here is that we still end up trying to plug those gaps with the very same technology that isn’t working.

There is a third response. This suggests the problem is twofold: it is partly the money men that control western society, and partly the mismanagement of young talent. One of the strongest proponents of this idea is Ilia Kolochenko, founder and CEO of High-Tech Bridge.

Ilia2First let’s follow the money. We’ve had a serious economic slowdown over the last few years. In such times of economic crisis money traditionally migrates from business to gold – but now there is an alternative: security. Security spend has defied economics; few security firms have folded and most have grown. Security has become a safe bet for investment. Just look at the prices paid, the investments made, and the valuations proposed. $1 billion for Mandiant? Really? And payed by a company that has never turned a profit? That cannot be right.

With so much money available to security firms, the response has been new companies with no new thinking. As Kolochenko puts it,

Many cybersecurity start-ups consider that reinventing a security scanner with a different GUI, report format or pricing model is enough to compete. The problems is that we just don’t need one more vulnerability scanner – we already have enough. We need a new concept, a new innovative approach to security testing. And very few companies have visionaries capable of creating such concepts. Nevertheless, they manage to raise funds from desperate investors trying their luck in the cybersecurity marketplace.

New security companies are not started to solve security but solely to make money for the investors. They are awash with money but not quality. From the investors’ point of view, marketshare is all – it’s what forces a big company to buy out the small company and provide a quick ROI. Marketshare can be bought if you have enough money – and many of these new start-ups have more money than talent.

But is this because there is no talent? Of course not. Kolochenko again:

Are we sure that the problem we face is a lack of skills, and not in fact that there are too many barriers stopping talented young people from developing countries applying their skills in developed countries? Smart graduates from developing countries may expect a very modest salary in their home countries, while emigration to developed countries is a pretty difficult, expensive and time-consuming process. Should we expect these skilled people to sit idly by, respecting the letter of international law that prevents them from experiencing a much better standard of living?

Of course not – they have in many cases adequate technical skill and tools to earn considerable sums as Black Hats, while evading detection…

So this is the last viewpoint, and to my mind the one most worth pursuing: the security problem persists because money men aren’t interested in security, just a quick return; while society effectively diverts talent from the light to the dark side. This is too difficult to attempt a solution. Instead we will continue to throw money at security and we will continue to get breached.

3 thoughts on “Money can’t buy you love or security

  1. I can’t speak for love but money does buy security – adequate security, adequate risk mitigation, whatever you call it. Not perfect, true, but good enough on the whole.

    Imagine how bad things would be if there was no spending on security – no investment, no products, no research & development, no infosec pros …

    Security investment is like other forms of investment, such as ‘infrastructure’: you spend a lot to achieve little obvious progress, at first, but over time it builds into something substantial. If you don’t invest up front, you end up either spending a fortune trying to catch up or being left behind in the dust.

    • Hi Gary

      Being pedantic and empirical — you’re wrong. If you were right, we would have no breaches. We do have breaches so we don’t have security. I don’t accept that security is analog: it’s binary; you’ve either got it or you don’t.

      I’m also not a believer in ‘adequate security’. Adequate security is only adequate until you’re breached. And whether you are breached or not, it seems to me, has more to do with who is attacking you than any amount of technology you might buy to prevent it.

      I’m not suggesting that we don’t need technology; only that insecurity will increase in direct proportion to the extent to which we rely on technology alone. The real solution will come from a combination of technology and factor x. The problem is that we aren’t even looking for factor x.

  2. Maybe because we are secure only if we love?

Leave a Reply to Gary Hinson Cancel reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Kevin Townsend's opinions | Tags: