On Wild Security Maturity Overestimation

Want to know what my absolute #1 insight that I learned working at Gartner for 6+ years is? No jokes, this is serious!

Any guesses from the audience?

In any case, this would be a huge number of organizations that are way, way, way worse in information security compared to your wildest, most pessimistic view of the world. And I mean “sit there, get depressed, then get really depressed, then think of a number of organizations with minimal security … then multiply it by a factor of 2” type of stuff.

We are talking about stuff like this (all representative fakes, NOT real quotes):

  • How do you spell SIEM? (ok, perhaps this one is a real question)
  • What is this new technology called DLP?
  • Can you recommend a SIEM that requires no work at all?
  • Why can’t we just use a firewall?
  • What do you mean by “we need to patch 3rd party applications too”?
  • How to convince our management that we need a vulnerability scanner?
  • Why do we need to collect (!) all those logs, it seems awfully hard?
  • We are a $1b organization and we just hired a security guy. Do we need another one?
  • (and of course, the absolute winner!) We patch Windows twice a year, is this often enough?

However, I see a lot of journalists and “shallow analysts” bounce around numbers like “38% of organizations use security orchestration tools” and other comedy like that. Recently somebody said that “most organizations will soon have a security data lake” and I thought “riiiiiight.”

Typically, they are driven by mindless surveys of the kind that produces results like “73% of respondents prefer teleportation to driving.” Even some of our own surveys often show excessive tool adoption not validated by real life. I’ve seen really hilarious tech adoption polls that vendors commissioned so they essentially deceived themselves at their own expense.

An astute reader may opine that some of this is driven by selection bias (“I pick 3 people at random among my friends, and they know my name, ergo all humans on Earth know me by name”) and not by sheer idiocy, but frankly I think this is worse than that. Selection bias alone cannot explain some wild views of overall security maturity across organizations that you can find out there.

So, Anton, what is your message here? Ah, but this one: dear vendors, don’t build and sell products based on stupid assumptions and incorrect fact bases – most likely, much of the world is NOT ready for your technology. If you want to make it ready faster, prepare to pay big bucks to educate and evangelize. Get better facts, do NOT learn about the world from the media – talk to real technology users [(or to analysts who talk to real users)]

Related posts:

This is a Security Bloggers Network syndicated blog post authored by Anton Chuvakin. Read the original post at: Anton Chuvakin