The information security industry is hot right now, but it's hot because it's failing. The daily announcements about breaches and lost data confirm that criminals are winning the security battle, but how can InfoSec reposition itself in order to win the war?
Last month, Tsion Gonen, chief strategy officer at SafeNet spoke at the CIO Summit in Boston hosted by CDM Media. His presentation, "InfoSec's Midlife Crisis & Your Future" opened with the blatant recognition that "We are totally failing."
The upside to the torrent of daily breach announcements is that the industry is in the spotlight. Everyone is racing to find the most innovative solution to the information security problem.
"Security is hot right now. It's hot because we're totally failing," said Gonen. "1800 cybersecurity startups were funded last year, and that's driven by total failure," Gonen continued.
According to Cybersecurity Ventures, "Worldwide spending on information security was expected to reach $71.1 billion in 2014, with the data loss prevention segment recording the fastest growth at 18.9 percent, according to a forecast from Gartner. Total information security spending is expected to grow a further 8.2 percent in 2015 to reach $76.9 billion."
If the industry is failing, then why is so much money being spent?
"People are scared and they are buying stuff," said Gonen, "Good money after bad money."
The threats still exist and will be ever-changing, so the need for security solutions remains in high demand.
Because of the high demand, and the desire to protect their reputations, organizations are more willing to invest in solutions tools. As a result, security administrators need to focus on plan B. "Plan A has failed. InfoSec's premise, its plan A, has been to stop the loss of information and prevent unauthorized access. We have failed," Gonen said.
When firewalls came out in '95, it gave birth to the information security industry which focused on defending perimeters and breach prevention. Historically an organization had what Gonen called, "one Snowden--your database administrator (DBA), now there are potentially a lot more Snowdens from your virtualization manager to the cloud environment, SaaS. Everyone's a Snowden now."
What will plan B include?
To help organizations consider the different rooms that need to be safeguarded, Gonen said, "If I'm protecting my home from an intruder, where am I going to put the strongest defenses? It's not my laptop. It's my kids' rooms. You know where your kids' rooms are in your environment because that's where you put your DBA."
"Have a communications plan in place," said Gonen, "be able to answer the first two questions that people will want to know: What happened? What did they take?" One way to minimize what's lost in a breach is encrypting everything. "Encrypt and keep the key," said Gonen who used the example of a Zappos breach that resulted in stolen credit card information.
"You know what they got, they got the last four digits of credit card numbers," said Gonen. "What good is that? What can someone do with the last four digits of anything?" Gonen rattled off the last four digits of his phone number and Social Security number to emphasize his point. "The other 12 digits were encrypted, so those four numbers are useless," Gonen said.
Plan B accepts that hackers will get unauthorized access, but what is key for security is making sure that what they take they can't really use.
In order to shift the trajectory of InfoSec onto the course of awesomeness, more than the blueprints need to change. Mindsets need to shift. Security administrators need to start saying yes. "Businesses need to move, and we live in a world of yes. We need to stop saying no because they will find someone who says yes."
The idea of saying yes to everything can be unnerving, though, particularly when people are trying to prevent unauthorized access to data. "The road between yes and no, is know," said Gonen. "Have architecture in mind and build solutions. Let them know the risks involved and let them make the decision," Gonen said.
Agreeing with Gonen, Earl Perkins, research vice president at Gartner, noted, "We have reached a point in time where the pace of change and the level of threat are beginning to collapse and not work." Perkins talked about the need to shift the mindset about information technology as well. "Although IT isn't a failure, it's not deliberate in the way business would like it to be," Perkins said.
Knowing how to say yes will allow security officers to protect and defend without being the antithesis of awesome. "They, and by they' I mean IT, will be replaced by something," Perkins said, "we are moving out of the prevention phase of you shall not pass' toward the era of detection and response."
The era of detection and response demands that organizations can no longer have malware that goes undetected for more than 200 days. "We are moving toward scouting parties and proactive offense. Improving the way you have monitoring," said Perkins.
"People buy because of awesome," Gonen said, "but in security, we are the anti-Christ of awesome."
With the billions of dollars being invested into cybersecurity startups, though, there is a lot of awesome being developed.
Perkins defines the IT midlife crisis as the crossroads between security and the Internet of Things (IoT), and the way for IT professionals to move forward is to define the role of IT in business. "Digital business means looking at risks and understanding how IT and business are so interrelated and then developing a methodology for prioritization," Perkins said.
Following Gonen's advice for the emergence of awesomeness, IT professionals need to develop a common language. "What IT brings to the pictures is we know a lot about technology," said Perkins, "so bring risk equations into the discussion." Risk is a word that both IT and business folks understand.
Perkins said, "Security has to move into a business resiliency phase. When does cyber security become a business continuity concern?" Cyber attacks have the potential to bring a company to its knees, and security has to be in place to allow the business to bounce back.
Moreover, Perkins said that IT professionals need to talk honestly with the board to manage expectations. He likened cyber threats for businesses to a disease and said, "Our company has a disease that can never be cured but it can be treated. There will be times when the disease flares up and it will cost a lot of money to treat the disease, but then there will be other years that are not as expensive."
"We can get quite good at treating it and focus on the business quality of life," Perkins said.
Shifting the way they think about security with a focus on the user experience will redirect the future of information security. "Thinking about awesomeness is a huge career move because two years from now the security officers are going to be the ones who know how to build awesome in to their environments," Gonen said.