Good Thing We Don’t Sell Firewalls
At a local chamber breakfast meeting this morning I had the opportunity to introduce my company to a room full of people who I had never met before. Staring into my bowl of granola and strawberry yogurt, I tried to summarize in my mind what it is that GreyCastle Security does. I needed to come up with something catchy and simple so that the 30 or so individuals at the meeting would both understand our mission and want to talk to us. We’re all in Marketing, as the saying goes.
“Good morning everyone, my name is Reg Harnish and I’m the Founder of GreyCastle Security. My company is in the business of preventing ugly headlines. You know how you’re constantly reading about companies that are being hacked, breached and robbed? We can help keep you from becoming one of those companies.”
It seemed to work, given how popular I was after the presentation.
Unfortunately for many of the businesses in that room, it’s probably too late.
According to The Ponemon Institute, annual spending on IT security has nearly doubled over the past five years.
Reaching nearly US$80 billion dollars in 2011, U.S. companies are spending upwards of 3-10% or more of their budgets on security initiatives. This sounds like a lot. But there’s a problem.
There is a major disconnect between security spending and risk. Decisions on security spending are based on many things – it’s the way we’ve always done it, it’s what other companies like us are doing, it’s what our Chairman wants us to do. Sadly, risk is usually an afterthought.
What has resulted is a disproportionately large increase in the costs of cybercrime. When an organization is not protected from attackers, or is unprepared to deal with the aftermath, its costs of recovery go up. Way up. When an organization doesn’t understand what its real risks are, it can be very difficult for it to protect itself.
So who’s to blame? All parties involved.
- First and most obviously, it’s cybercriminals as well as the organizations that enable, ignore or patronize these gangs as they are at the root of this criminal ecosystem. Naturally where there is opportunity there will be opportunists.
- Secondly, it’s any company who believes that they are somehow immune or flying under attackers’ radar. They are not only negligent, but will likely find themselves liable in a court of law some day. Each business is responsible for its own security, and the economics are clear – it’s cheaper to avoid an incident than to recover from one. In the meantime, they are promoting a culture that will cost you and your customers dearly.
- Lastly, it’s the security firms who have yet to recognize (or admit) that hardware and software do not solve security problems. Yes, it’s true that a firewall can prevent certain nefarious activities, but by itself it is a simple device that requires a strategy, proper implementation and measurement to be successful. “Security” providers who make their living peddling these wares create downstream issues, forcing client security issues to look like nails for their hammers, and slathering their constituencies with a false sense of security. If you’re not part of the solution you’re part of the problem, as they say.
It’s time to think differently about how we protect ourselves and our clients. It’s being proven on a daily basis that traditional approaches to security aren’t working, and we’re fighting enemies that circumvent million-dollar technology with a simple e-mail. It’s not about how much money you spend, it’s about how you spend it.
I wonder how many business cards I would have gotten if I told them I was selling firewalls.