ITsecurity
twitter facebook rss

Why cyber security doesn’t work

Posted by on September 29, 2016.

Ilia Kolochenko, CEO and founder of High-Tech Bridge, has an interesting article in CSO Online. It’s worth reading – but I just want to consider the first part here. He examines two sets of figures: spend on cyber security; and the losses to cyber crime. Both are rocketing: Gartner predicts a rise in spend from $81.6 billion in 2016 to $170 billion by 2020; and Cybersecurity Ventures predicts that cyber crime will cost $6 trillion by 2021.

If we are spending more and yet losing even more, then clearly what we are buying isn’t working. That’s the bottom line: cyber security isn’t working. And the question is, why isn’t it working?

I want to propose something a bit radical. Cyber security doesn’t work because the powers that control it have no incentive to make it work.

The argument doesn’t just apply to the security industry. Consider for example, the pharmaceutical industry. We all believe that it exists to keep us healthy. We believe that because that is what we are told. But it doesn’t make any commercial sense. If medicine developed a wonder treatment that cures headaches, they’d sell it to most of the population just once. We wouldn’t need it again, and that’s not much of a business plan.

However, if they develop pain killers to treat the symptom with touching the cause, then they can sell those pain killers over and over and over again. That is a much better business plan. If you examine the huge majority of drugs we pay millions and millions for every year, they cure nothing – they just make us feel better until we need to buy more.

The real reason the pharmaceutical industry exists is to make money. If it actually made cures, it would lose the golden goose (that’s you and me as repeat purchasers).

The security industry is similar. If it actually provided security, we would have no need for additional purchases. So it doesn’t – it provides a bit of security so that we always need more.

With cyber security there is a complicating factor. Government. Government could do a lot to help security, but it won’t. It won’t because it uses security fear to justify new controls over its people. The biggest danger for most governments is not foreign intervention but rejection by their own people. People need to be controlled – and the best way to do that is to keep them afraid and to limit their powers. Fear of the threat of cyber war and cyber criminals serves both purposes at the same time.

The security industry is little better. It is awash with companies that do not exist to make you secure, but only exist to make money for the founders. This is not an idle claim. Just look around. With little thought you can probably name several companies that have never made a profit, and yet spend millions on advertising and claiming their ‘unique game-changing new security paradigm’. They’re not here to make you safe; they’re merely here to sell quick and make money for the founders and their investors.

Now, back to those initial statistics. Who generates them? Well the government and the security industry of course. The simple reality is that the worse they seem, the better they serve their purpose.

Don’t get me wrong. There really is a security threat out there. And there are many companies and even more security individuals who take their work and their desire to protect business and people very seriously. But it doesn’t change anything. The reality is that there is very little incentive to cure the security problem, but huge incentives to maximize it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Kevin Townsend's opinions | Tags: