At a local chamber breakfast meeting this morning I had the opportunity to introduce my company to a room full of people who I had never met before. Staring into my bowl of granola and strawberry yogurt, I tried to summarize in my mind what it is that GreyCastle Security does. I needed to come up with something catchy and simple so that the 30 or so individuals at the meeting would both understand our mission and want to talk to us. We’re all in Marketing, as the saying goes.
“Good morning everyone, my name is Reg Harnish and I’m the Founder of GreyCastle Security. My company is in the business of preventing ugly headlines. You know how you’re constantly reading about companies that are being hacked, breached and robbed? We can help keep you from becoming one of those companies.”
It seemed to work, given how popular I was after the presentation.
Unfortunately for many of the businesses in that room, it’s probably too late.
According to The Ponemon Institute, annual spending on IT security has nearly doubled over the past five years.
Reaching nearly US$80 billion dollars in 2011, U.S. companies are spending upwards of 3-10% or more of their budgets on security initiatives. This sounds like a lot. But there’s a problem.
There is a major disconnect between security spending and risk. Decisions on security spending are based on many things – it’s the way we’ve always done it, it’s what other companies like us are doing, it’s what our Chairman wants us to do. Sadly, risk is usually an afterthought.
What has resulted is a disproportionately large increase in the costs of cybercrime. When an organization is not protected from attackers, or is unprepared to deal with the aftermath, its costs of recovery go up. Way up. When an organization doesn’t understand what its real risks are, it can be very difficult for it to protect itself.
So who’s to blame? All parties involved.
- First and most obviously, it’s cybercriminals as well as the organizations that enable, ignore or patronize these gangs as they are at the root of this criminal ecosystem. Naturally where there is opportunity there will be opportunists.
- Secondly, it’s any company who believes that they are somehow immune or flying under attackers’ radar. They are not only negligent, but will likely find themselves liable in a court of law some day. Each business is responsible for its own security, and the economics are clear – it’s cheaper to avoid an incident than to recover from one. In the meantime, they are promoting a culture that will cost you and your customers dearly.
- Lastly, it’s the security firms who have yet to recognize (or admit) that hardware and software do not solve security problems. Yes, it’s true that a firewall can prevent certain nefarious activities, but by itself it is a simple device that requires a strategy, proper implementation and measurement to be successful. “Security” providers who make their living peddling these wares create downstream issues, forcing client security issues to look like nails for their hammers, and slathering their constituencies with a false sense of security. If you’re not part of the solution you’re part of the problem, as they say.
It’s time to think differently about how we protect ourselves and our clients. It’s being proven on a daily basis that traditional approaches to security aren’t working, and we’re fighting enemies that circumvent million-dollar technology with a simple e-mail. It’s not about how much money you spend, it’s about how you spend it.
I wonder how many business cards I would have gotten if I told them I was selling firewalls.
The most recent Ponemon study reveals what we’ve all been dreading – just when it seems like things couldn’t get any worse, they manage to crash and burn. According to the popular survey, more than 90% of respondents have been breached, and more than 50% of those who have already been breached expect it to occur again. Not surprisingly, greater than 50% of those surveyed were “not confident in their security”.
On the surface it seems that one of three things is occurring:
- Attackers are widening the tactics and tools gap, despite the millions (maybe billions?) of dollars that are poured into security research and development every year. The reality is, hackers like Vladimir Levin don’t play by any rules, which gives them a distinct advantage.
- Those of us who are in the business of securing important assets aren’t doing a great job. We may be focusing on the wrong things, or poorly implementing the right things or just not doing anything because our message is ill-timed, ill-crafted, or both.
- CEOs, CFOs, business owners and other decision makers still don’t care about security. This happens for any number of reasons – some continue to believe that they have nothing of value, and are safely flying under attackers’ radar, and some are so deluged with databreach headlines that they are paralyzed by overinformation.
Of course we’ve all seen plenty of each.
Now certainly I recognize that these datapoints come from a single study, and although Ponemon is highly respected, it is still a single point in time. However, if you spend long enough in the trenches, you’ll see these statistics playing out across boardrooms, data centers and watercoolers in every corner of the country. Sadly, it looks like it’s going to get worse before it gets any better.
Have a great weekend.