Security. Needs. Change. (IMHO)
**Disclaimer** Views and opinions expressed here are my own and do not represent any organization I am affiliated with including my employer, the Expedia Group.
Cybersecurity, Information Security, Information Assurance, IT Security, Security Security Security. All of the above needs change. The disciplines, the profession (or lack thereof), the approach, the convention, the 'traditional' views of security have got to change. The "market" for security, including consumers and producers/providers are failing. Altogether - the desired outcomes for security solutions (whether primarily people or technology-driven) are failing. There doesn't seem to be any anecdotal or even quasi-scientific analysis of the space that is showing measurable progress from where we were 10 years ago.
Here are some of my anecdotal, non-scientific, hands-on, and in-the-trenches observations:
- IT Security = Information Security. NOPE. I am disappointed and want to shed a tear every time some well-intentioned person, company, group, or team presents, pitches, or proposes a solution to securing information as an IT problem, aka - Step 1, buy tool, Step 2, turn on tool, Step 3, solve problem. Perhaps someone industrious can look at security 'tool' spending per capita or adjusted for size of revenues and whether it has achieved outcomes. More tools, or more money on fewer tools is not a strategy.
- Information Security = PCI/HIPAA/SOX/GDPR/insert latest regulation, industry or government specific compliance. NOPE. It hurts me to think that after all of the big and small events over the last decade in security that there are millions (guessing), probably billions of dollars globally being spent on compliance without results. Have the breaches stopped? Has the data stopped being lost? Are the 'bad actors' getting caught? Are consumers confident you're not going to lose their data? Is there anymore trust in any major industry in their abilities to safeguard data? Governments, financial institutions, private companies, big, small, and everything in between are still not winning in the fight against protecting the confidentiality, integrity, and availability of precious data.
- Security is a problem without enough technology to address it. NOPE. What technology are we lacking? I've been at the forefront of initiatives where I thought to myself, wow, how could we possibly scale to that amount of data, it must be so hard. Oh wait, I was wrong, there's plenty of wonderful tech out there, public cloud services, and other data streaming, processing, storage, indexing, etc., are all plentiful. Pick your poison, proprietary or open source, on-prem or in the cloud. It's a veritable candy store of options. It's not the technology that's hard, it's the people, and no it's not the 'everyone is dumb and needs to be a security expert' that I am talking about, I am talking about security people. It's us boys and girls, the industry and discipline have got to change whatever industry or sector you're in. Understanding the INCREDIBLE IMPORTANCE (see what I did there) of change, constant, continuous, evolution and change as one of the top if not the number one objective for your security initiatives, there is no one threat, it's changing, people need to change just as fast as the tech, if people don't change, this problem isn't getting better.
- The cybersecurity workforce needs more certifications (CISSP, CISM, CISA, etc.) NOPE. Are the certifications leading to better outcomes? Are we truly preparing people for fulfilling careers in security? Do they really have the training they need? And don't start blaming the people who are trying to break into the industry, they're just victims of an industry that is happy to codify (for who know's what reason) and certify seemingly antiquated and arbitrary methods as the bedrock of security. Let's help more people join the fight, not keep them out with these certifications. Certifications have their place, they also can be more hurtful than helpful. I've seen it from coast-to-coast, in the belly of the beast of our national security apparatus, to America's leading Fortune 500 companies, thinking certifications are worthwhile reasons to keep people out, or other people in.
- Security product and service providers are evolving at the pace the landscape is. NOPE. Everyone I have talked to (it is a decent amount of people), a cross-section of the security provider space, early stage startups to publicly traded giants seem to have an inefficient distribution of capital for R&D and from their roadmap presentations, I've gathered, their roadmap is going after interesting problems at a slower rate than the problems are coming, so I'm getting the feeling there are some redundancies out there and some consolidation that needs to happen.
- Major Security Vertical players (i.e. Cisco, Symantec, Intel, AT&T, etc.) and pure-play Security Vertical players are innovating for tomorrow's security challenges. NOPE. I have spent many a phone call, meeting, and video conference with the industry's purportedly leading product and service providers of security solutions and have told me point blank (won't name any names), that what I am asking for is not available, not a priority, not important, that they are focused on meeting the needs of yesterday's security problems because that's where the majority of the enterprise consumers are. That's just wonderful (not), tons and tons of R&D capital is going into solving and optimizing security problems that are 10-20 years old, so if you're adopting the latest and greatest technology out there, you may need to figure it out yourself, or take your changes with an early-stage Series A, B, or C startup and roll the dice because at least they're trying, but getting the squeeze by major players who only care about the 'common' enterprises' problem.
- Security challenges will be solved if CISOs are in board meetings at big publicly traded companies. NOPE. Security shouldn't be special, security should be like any other part of the business, like marketing for example. There should be allocated capital, it should be applied with some intelligence, performance should be measured, major strategies should be discussed, evaluated, and adjusted, and returns are produced. I frequently (way more than I'd like) hear security professionals complain about how boards don't care enough about security, I'm not sure what people are hoping to achieve, the board of directors for companies aren't here to tell us how to secure data and protect information, that's what we are here for, if you aren't getting the support you need, focus on results, instead of unrealistic promises.
- Everyone needs to be a security expert. NOPE. This is a real pet peeve of mine. Security professionals think that everyone needs to get educated and aware on security, why doesn't everyone understand private key infrastructure, software/hardware crypto controls, and avoiding internal/external threats. Here's why, they have jobs, just like you do, just like I do, security professionals should stop waiting and hoping and complaining about how everyone else doesn't understand security. You're going to have to meet them where they're at, not where you are at. Get over it.
- Security is so special that it doesn't need to change, everyone else does. NOPE. Here's a favorite, if everyone else could write perfectly secure code, build up-to-date and vulnerable-free servers, properly configure and harden their hypervisors, AWS accounts, etc., then data would be easier to secure. If everyone is doing that then they don't need you. People instead are focused on writing horizontally scaling applications with responsive UI/UX for finicky consumers in ultra-competitive and highly elastic market places for services and goods, not doing your job.
Here's what I think (hope) will happen. Companies will start demanding results for security spending, platform players (Amazon, Microsoft, and Google) will start commoditizing security solutions giving Security Vertical players a run for their money, consolidation will happen of the good, bad, and weird ideas out there in the security space, R&D capital will shift towards future problems and blue oceans in security not re-tooling and re-packaging yesterdays problems/solutions. And finally security professionals will focus and orient themselves to evolving with their organizations' needs and be part of the wave of change that will have to overcome the entire market to actually achieve meaningful measurable results in working towards security outcomes like protecting customer and company data.
If you are also passionate about the lack of results that the market is making in security problems and want to get together to connect, share ideas, and join with others who are like-minded in making waves - please comment/message and look forward to connecting.
Nicholas Muy leads Product Strategy for Enterprise Security @ the Expedia Group. His passion is for driving industry-leading change and digging into difficult challenges in environments ranging from the public sector to the Fortune 500. In addition to his work the Expedia Group, Nicholas serves on the board in the finance committee for Communities In Schools of Washington since 2012, part of the nation’s leading dropout prevention organization.
IT Infrastructure and Cloud consultant
6 年Nice article
Head of Cloud Filesystem and Storage Engineering @ Dropbox | Bar Raiser | Public Speaker
6 年Good write-up. ????
Security Specialist at Trend Micro
6 年Great post Nic!