Over the past two years, the cyber security industry has seen a significant move by security professionals and organizations to create CSIRTs or Computer Security Incident Response Teams.\tThe staffing for these roles has been significantly higher than other information security positions. The technology built for security operations centers (SOCs) has expanded equally as quickly with new log management and event correlation products coming on line.\u00a0As you know, CSIRTs can have a wide range of functions that cover the gamut from response to proactive threat and vulnerability management. However, the past couple of years we have seen a focus on response. An after the fact, see, detect and arrest function. It is almost as if the hiring managers have given up.\tLet us shift gears a bit here.\u00a0 Yesterday, Art Coviello, executive chairman of RSA said:\t\u201cIt\u2019s not a matter of if and when, it\u2019s how you are able to respond and shrink the window of opportunity so when you are breached you can respond timely enough to mitigate any damage.\u201d\t\t\thttps:\/\/searchsecurity.techtarget.com\/news\/2240113999\/RSA-SecurID-breach-Executives-attempt-to-repair-tarnished-image\tThis statement indicates that he is beaten. He has thrown in the hat with the not if but when statement. All because they were breached.\u00a0 This is because RSA\/EMC, like many other organizations, had built their security organizations on a see, detect and arrest mentality.\u00a0It was inbred from the start of their global security program based upon a cult of personality steeped in a law enforcement mentality. They have moved to the realm of cyber janitors. How much money to RSA\/EMC spend (and are still spending) to \u2018clean up\u2019 their mess outside the initial $63M?\u00a0It took that incident to get RSA off the dime to \u2018innovate\u2019 a 30 year old, static product.\u00a0 Much like all the others, it takes a spill.\tSo what is a Janitor?\tThe general responsibilities of most janitor positions involve routine cleanup tasks. These will often include removing trash from waste cans in offices, vacuuming carpets, sweeping floors, and in general keeping the space in an orderly fashion. In many cases, a janitor may also handle climate control functions with the building as well.\tThis may include keeping a furnace in proper working order, handling the function of thermostats, or keeping a boiler system in proper repair. A janitor often also troubleshoots with plumbing issues, handling maintenance tasks with hot and cold running water, replacing leaky pipes and faucets, and replacing sinks and toilets when necessary.\u00a0Along with basic cleaning responsibilities, janitors may handle other responsibilities, such as seeing that doors are locked after hours and that any electronic alarm systems are properly set before the building is closed for the evening. The head janitor may also oversee a cleaning crew, depending on the size of the facility.\u00a0While a janitor may work during the daylight hours, it is not unusual for many cleaning professionals to work during the evening. This is especially true with office buildings, where the janitor will be able to work without disturbing people who would prefer to work without a vacuum cleaner running or someone mopping or emptying trash receptacles.\tThe cyber janitors of today fill the CSIRTs expecting the worst to happen. They are skilled in after-the-fact clean-up functions. A whole cottage industry has sprung up around cyber janitors. They augment existing staff functions after a breach (or better said, a data spill), they serve to examine where the breach came from; they are law enforcement or interface with law enforcement (arrest) and they charge very high rates.\u00a0They are vultures feeding on the misguided carcasses of breached entities promising all sorts of help and assistance except one. The most important type of assistance that is need across all security organizations today.\u00a0 That being a proactive, preventative approach to cyber security management.\tCoviello also said:\t\u201cWe believed we had a very strong security system in place before the breach and we redoubled our efforts across the entire spectrum, including our communication with employees.\u201d\tHe said this because this is what he and all of EMC leadership were led to believe. The reality was internal deception and security staff way over their heads in understanding how to build a resilient organization.\u00a0RSA took their show on the road but they did not expose the true issues inherent in the internal security functions at EMC. Way too embarrassing to shed light on this. It is difficult to rebuild a program when it is steeped in the see, detect and arrest mentality. The cyber security industry hopes the redoubling of efforts at RSA\/EMC does not mean doubling down on the same losing proposition.\tLucky for RSA that EMC was able to stifle criticism using the EMC marketing machine and legal group, by offering vocal critics a view at the breach (in exchange for signing an NDA that said you can\u2019t say you signed an NDA).\u00a0If it takes a breach to stimulate innovation, then you have the wrong leadership since their main function should be innovation (not sales of outmoded products).\tMost of the large security vendors still pitch and push reactive and signature based solutions. They push their wares since the market is still in the billions, since consumers are led to believe these products work. They buy their way to keynotes at large security conferences where no one is allowed to sell during their talks yet the talks they deliver are all about sales.\tThey talk innovation but their type of innovation is still tied to see, detect and arrest. They may mouth the words \u2018proactive\u2019 and \u2018preventative\u2019 but the products indicate otherwise. They propagate the cyber janitor skillset. The push the need for cyber janitors whether it is RSA, Symantec (lost source code), McAfee (penetrations), or others who have decided not to come forward.\u00a0What we really need in this industry is a complete shake up. We need true innovative thought that uses cyber intelligence, counterintelligence and active defense and offensive measures in our programs. No more sitting around waiting for the penetration. No more deception in security program communications. Full open kimono only.\u00a0If the product and\/or solution does not prevent; if the foundational elements of IT and security are not of a proactive nature; if the sales pitch is still about after the fact investigations and forensics, then move onto the next vendor.\tCompanies can continue to expand their cyber janitorial staff or they can focus on preventing spills and reduce the requirement for cyber janitors. Pay me now or pay me later ($63M outlays and tarnished corporate image). (Could you imagine if you the CISO, were given $63M to run your security program?).