The All or Nothing Cyber Security Paradox

Money money money money. Money.

A recent report on cyber attacks covered in ComputerWeekly found friendly terrain for hackers within the perimeter of internal banking networks.  In other words, once you’re in you’re really in.

As soon as attackers access the internal network, they find friendly terrain that is secured no better than companies in other industries, according to a report on cyber attacks on banks by Positive Technologies.

The increasingly bleak history of breaches was enough for me.  Companies underUphillA funding their security teams were accepting higher levels of risk for business reasons. I get that.

When reports emerge indicating that even well-funded financial institutions aren’t faring much better when it comes to their internal networks, the problem looks even bleaker.

Maybe the issue isn’t money after all.  Perhaps it’s a bigger issue.

A few weeks ago Vidder CEO Mark Hoover wrote a blog advising CIOS to Retreat to Higher Ground.

The corporate network, once a great enabler of business productivity, is rapidly becoming an obstacle. This is leaving CIOs with no choice but to make a strategic withdrawal away from defending global and integrated corporate networks, towards more secure-able and relevant perimeters.  There is no other way forward.

Security is Commoditizing while Adversaries are Specializing

In a follow-up blog (Security and the “All or Nothing” Paradox) he explains why things are so screwed up, even at firms with ample security budgets and/or a high correlation between breaches and exec career risks. Vendors don’t want to specialize or innovate away from their core competencies, channels and predictable cash models to guide their customers toward vendor-agnostic best practices.

It has been more than 20 years since The Innovator’s Dilemma was published, yet today it is perhaps more relevant to security companies than ever.

Pressures on Leading Public Vendors are Immense… to Predictably Monetize Past Investments

Today organizations buy commoditized approaches to securing everything equally, never mind the growing burden on the security team and the shrinking value of the corporate network as a strategic choke/monitoring point.  Vendors want their customers to buy more stuff and certify more employees in specific solutions.

Many of these vendors are public companies with heavy pressure on quarter to quarter performance. Some are converting from hardware to SaaS models while trying to keep their channels content. Perhaps the pressures on the vendors are so great they simply cannot innovate, and that keeps their customers in a constant state of need and vulnerability despite their security budget.

Adversaries are Getting More Specialized

At the same time adversaries become even more specialized, attacking specific types of vulnerabilities and leveraging tools that lower the skills or knowledge required for success.

So Hoover wraps up with how we have digressed into “all or nothing” vendor strategies:

The stock price of the vendors that shape corporate IT thinking and spending depends a lot on getting customers to continue to upgrade or modernize their networks on a regular basis. It is not in the best interests of large network and network security vendors to have customers reduce the extent or sophistication of their infrastructure.

In the end, the interests of the large security vendors diverge from the interests of their customers. So enterprises get an “all or nothing” paradox where all is still really nothing.

 



*** This is a Security Bloggers Network syndicated blog from ARCHIMEDIUS authored by Greg Ness. Read the original post at: http://feedproxy.google.com/~r/Archimedius/~3/X6ud1qxXda4/