Cybersecurity Industry Blame Game at RSA Conference

I’ve been meaning to write this blog since returning from San Francisco in April and I’ve finally gotten around to it.  With the dangerous threat landscape and seemingly endless string of data breaches, there was quite a bit of industry bashing at this year’s RSA conference.  Discussions featured numerous sound bites accusing the cybersecurity industry of ‘being stuck in the dark ages,’ and claiming that the industry ‘has failed its customers.’  Pretty strong stuff.

Now I certainly agree with one of the underlying premises.  In spite of billions of dollars in infosec technology purchases over the past few years, organizations like the US Office of Personnel Management (OPM), Sony Pictures, and Target continue to experience devastating cyber-attacks and data breaches.  Yup, there’s certainly a supply/demand disconnect but I think it’s worthwhile to explore how we got to this point before simply shooting the messenger. 

As I look back over the past 15 years of cybersecurity history, I see a few common problems that led the cybersecurity community astray:

1. Chintzy cybersecurity investment.  Cybersecurity budgets have a history of being extremely flimsy – especially in all industries with the exception of financial services and defense.  When infosec pros asked for more money, business guys often responded, “We don’t need good security, we need good enough security.”  This forced CISOs to spread precious budget dollars thinly across IT, cover the basics, and deal with cybersecurity on a threat-by-threat basis.  To me, this behavior is the root cause of the ineffective point tools-based cybersecurity infrastructures present in most organizations today. 
2. The security = compliance phase.  In the mid-2000s, information security was co-opted by regulatory compliance mandates like FISMA, HIPAA/HITECH, and PCI-DSS.  All of a sudden, cybersecurity professionals were subservient to IT and compliance auditors and walking around data centers with clipboards.  Driven by changing user requirements, the cybersecurity industry quickly followed suit as SIEM morphed into a regulatory compliance reporting system.  It wasn’t until around 2008 that the industry woke up and realized that compliance and security were kissing cousins at best.
3. The global cybersecurity skills gap.  I’ve played the role of Chicken Little on this issue for years.  According to ESG research, 28% of organizations report a “problematic shortage” of IT security skills and things aren’t getting much better (note: I am an ESG analyst).  It’s virtually impossible to address complex cybersecurity problems when organizations’ cybersecurity departments remain under-skilled and understaffed.  Product vendors suffer most here as CISOs give up and default to managed services. 

Now I agree that the industry may have been complicit in exacerbating these issues, but capitalism is alive and well in the infosec domain so vendors simply produced things that users had the knowledge and budgets to buy.

If I were asked to speak at next year’s RSA Conference, I would offer cybersecurity professionals the following simple advice: Caveat Emptor.  If the cybersecurity community gets together with specific demands, you can bet your bottom dollar that the industry will respond.  In my humble opinion, CISOs should push the industry for:

• Open integration.  Given that the goal here is enterprise security, cybersecurity product vendors must design individual point tools for integration by supporting industry standards, offering open APIs, and testing common multi-tool configurations.  CISOs should only buy from cybersecurity vendors who are able and willing to play nicely with others. 
• Built-in intelligence.  Complex cybersecurity tools designed for custom configurations are of little use when the infosec staff is too busy putting out fires and can’t spend time on technology training and customization.  Vendors need to design tools that deliver value from the get-go and offer deployment guidelines that address 80% of common use-cases.  Splunk does a great job in this area as users often start with simple dashboards, learn the product, and incrementally use it for more extensive purposes. 
• Hands-on support.  CISOs should allocate services budget dollars and work with vendors that commonly bundle proactive services with products.  For example, Trend Micro technical account managers (TAMs) keep customers abreast of the latest threats and help them fine-tune their security defenses accordingly.  This type of staff augmentation is exactly what’s needed to help bridge the skills shortage gap.

There is plenty of work ahead to address the dangerous threat landscape but neither the supply nor the demand side of the cybersecurity market can make progress on its own.  If CISOs develop a comprehensive enterprise-wide cybersecurity strategy along with a pragmatic multi-phased plan on how they get from here to there, the industry will certainly follow this lead.