They say that bad things always come in threes. The adage may testify to little but the popularity of superstition, but for security executives today, this notion regrettably passes muster. Crime, complexity and cost are three foes that every CISO must face, and while most companies think crime is the enemy, in many cases it is the latter two heads of this “cyber-cerberus” that deliver the most certain bite.
Here’s why: There’s not much we can do to wish cyber criminals away. The rising tide of threat actors will continue as the world goes digital, and we will need to be vigilant. But as an industry, there are things we can do to control complexity (and in turn cost), and it’s time that we start working together to reduce their impact. How do we do that? Well, let’s take a closer look at these three components.
Everyone knows about enemy number one: crime
Unless you have been living under a rock for decades, you know that cyber crime is one of the world’s largest problems. We’ve read statistics on breaches and seen countless companies in the headlines. Undetected attacks increase the numbers even more. IoT botnets, state-sponsored attacks, machine-learning malware, and the rise of ransomware make CISOs agree that cybercrime is undergoing a vigorous evolution. Sadly, crime has been with us since the dawn of civilization and is not going away anytime soon. This enemy is a constant.
Which brings us to a hidden enemy - complexity
With so many barbarians at the gate, protection, detection and response has become ensnared in a painfully involuted multiplicity of requirements and solutions. Cyber security practitioner groups suggest 14-18 controls to get started. SANS defines 20 security measures as “critical.” Fortune 500 firms typically engage 50+ security vendors. One global bank cited 170+ vendors at the Blackhat security conference last year. Plus, there are at least 32 government and industry bodies dedicated to cyber regulations.
There are well over 1000 individual security solutions in the market for CISOs to consider, and dozens one must review for any particular purchase. Vendor research, trial periods, internal reviews and integration requirements grow exponentially as products are added.
Even when you finally determine the products you need, they must be tuned, serviced and regularly upgraded by skilled engineers. There are so many individual challenges to integration of security solutions that I couldn't list them all here. And the cycle of new products, responding to new threats—it never ends. All of this complexity leads to the biggest enemy that we need to focus on.
Our most insidious enemy is, of course, cost
It’s important for CISOs to remember that their company is not in the business of cyber security—they make airplanes, design toasters, perform financial services or focus on something else, unrelated to security. I have never met a single business executive who preferred to divert resources from the core business to spend more on security...not one. The CISO who achieves results at lower cost and restores money to the core business will be recognized as a true partner in the business and be rewarded with a bigger seat at the table.
Today, adequately responding to the threat ecosystem costs hundreds of thousands of dollars annually for the typical company, and many millions for large enterprises. Monitoring and maintaining defenses requires specialized engineering roles that come with six-figure salaries, if you can even find the talent.
It’s no wonder Gartner pegged the enterprise cyber security toll at more than 96 billion dollars. And this is before the financial repercussions of actually suffering an attack. In the end, whether the bad guys get you or not, you’re already a victim of the effects of cyber crime— the cost of defense.
The industry needs a more sustainable model
This triple threat of anxieties isn’t sustainable. We can’t prevent bad actors from creating pressure, nor criticize CISOs for advocating for security budgets, but as an industry, there are things we can do to control cost and complexity, and it’s time we start doing that.
First, we must stop throwing fistfuls of venture dollars at entrepreneurs tackling single vulnerabilities. This practice has led to a glut of products living in silos, with the integration burden entirely on the customer. Our industry needs to offer integrated suites that are truly open and extensible, not product bundles architected for single vendor lock-in. When buyers demand these types of consolidated solutions, VC’s will back entrepreneurs looking to bundle their products together more effectively.
Secondly, we need better vendor-to-vendor integration, so that best-of-breed product interoperability isn’t solely the buyer’s responsibility. New security products coming on the market should be held to account to integrate with the existing ecosystem.
Finally, more of the cyber industry needs to start thinking of themselves as long-term service providers, not as “one-and-done” product peddlers. Transforming legacy appliance and software solutions into on-demand cloud services will allow responsible vendors to monitor, maintain and upgrade products, and comply with policy and regulatory requirements. As vendors take on these responsibilities, complexity and cost for end users reduce considerably.
To stay ahead of the enemy, the industry needs to close ranks. With a smaller suite of products, built with integration in mind, and with sellers taking on responsibility for product life cycle management, the buyer-side security community will have precious resources freed up to focus on more important issues—like the business itself.