Governance, Risk and Compliance, Breach

Larry Walsh Describes Security’s One-Dollar-More Dilemma

Author: The 2112 Group’s Larry Walsh (lmwalsh2112)
Author: The 2112 Group's Larry Walsh (@lmwalsh2112)

The Equifax breach shook the foundations of the digital economy. If hackers could infiltrate and massively compromise one of the major credit reporting agencies, they can raze confidence in the entire financial system.

In theory, big security breaches should trigger a surge in security spending. The sales methodology of FUD – fear, uncertainty, and doubt – dictates that security vendors and solution providers should use negative news to get end users to open their wallets and buy more product.

I was discussing this issue with a former security vendor channel chief. He said the Equifax breach is the final wake-up call to executives to invest in preventative security or else risk losing their customers, revenue, and shareholders.

Worse, he said, failure to invest more in security means companies and their management could suffer the consequences of stiff government regulations, such as the European Union’s General Data Protection Regulation (GDPR).

On the Other Hand...

I countered his assertion, as there have been as many security wake-up moments for corporate executives as records compromised in the Equifax breach. (And, for those keeping count, that’s 174 million.)

The problem with security – particularly preventative security – is the one-dollar-more dilemma. You can always spend one dollar more on security. No matter what protective measures you put in place, what technology you deploy, what monitoring services are under contract, breaches will happen. That means you can always do something more to secure digital assets.

My friend said it’s not about spending more; it’s about taking steps to plug holes and stop hackers from gaining access to infrastructure, systems, and data.

So I asked about this person’s house. “Do you have bars on your windows?”

“No,” he said.

“Well, why not?”

“That’s not the point. The hackers are already inside. We need to do more to find them and root them out. Or, perhaps, we need to find ways of containing them in areas without valuables, like a honeypot,” he said.

“OK,” I replied. “So we find them. We isolate them. And we get them out. So why don’t you have bars on your windows? Once you get them out, don’t you want to keep them out? For that matter, why don’t you just brick over the windows and doors, hermetically sealing the building?”

“That’s an aesthetic, as much as a functional and cost issue,” he conceded.

And that’s the problem with security. The security sector, particularly companies making and selling product, will always claim that a security problem can be solved by investing in one product or product set. That’s their bread and butter.

Security technology – products and services – is an important part of the security paradigm, but a security silver bullet, a product that addresses all threat conditions, doesn’t exist. We need combinations of security technologies, synergistic systems that create defense-in-depth infrastructures that mitigate – not eliminate – security threats.

Security Policy, Processes and People

Equally as important as technology, if not more so, are the other components of the security paradigm – policy, processes, and people. Businesses need policies to define their security needs and objectives. They need processes to define how they’ll manage their security infrastructure, enforce policy, and respond to threats. And they need to enable people to understand security threats and act accordingly when incidents happen.

And incidents will always happen.

Yes, businesses need help with their security technology, but they also need more help understanding and managing their threat exposure. This is where security solution providers and managed security solution providers add tremendous value. Solution providers help businesses define their security needs, apply appropriate levels of technology, augment management capabilities, and respond to incidents to minimize impact and recover from damages.

While it’s true that businesses could always spend one dollar more on security, they don’t have an unlimited supply of dollars. And even if they did, spending a mountain of money on security wouldn’t make a company bulletproof and would have the added consequence of reducing operational effectiveness. Through security services, solution providers can help customers apply their limited budget to have the most impact while still having unobstructed views out their windows.

Larry Walsh is the CEO and chief analyst of The 2112 Group, a channel research and strategy firm. In a previous life, he was the editor of Information Security magazine.