Light Dark
May 5, 2017 By Jack Danahy 3 min read
Risk Management
Intelligence & Analytics
CISO

Exploits, data breaches and ransomware campaigns are succeeding despite increased public awareness about these threats. New victims are found, old targets are rediscovered and people want to know how this keeps happening.

It isn’t because people don’t care. In the past three years, according to Google Trends, the subject of hacking has generated more queries than poverty, bankruptcy, corruption and even nuclear war. Plenty of individuals are trying to learn more, but what they find is confusing because of the way security vendors have historically positioned, justified and sold security. In their efforts to differentiate themselves and express the urgency of the problems they solve, vendors have unintentionally paralyzed buyers. For security to improve, these old habits have to change.

Security Vendors, Messaging and John Nash

Security companies are pretty consistent. When they uncover a new and successful attack that is creating an urgent need, they develop solutions to identify, block and recover from it. To raise interest in their new solutions, they develop campaigns and tools intended to show that a next generation of technology is the answer or that an entirely new approach is required. Existing solutions are cast as no longer appropriate because they have allowed this new attack to succeed.

Given the speed with which the threat landscape changes, this means that organizations are regularly told that they need to adopt entirely new tools and platforms because their existing solutions aren’t sufficient anymore. The message is that radical changes are needed to make them safe. This aggressive positioning leaves buyers knowing only one thing: They need to do more, and this time they aren’t going to make a move until they are sure it’s the right one. Certainty doesn’t come easily in the security market, so the major result of all of this turbulence is often indecision and delay.

In economics, this negative outcome was captured in a theory that won John Nash a Nobel prize in 1994. Nash discovered that a universal pursuit of unalloyed self-interest can create less-than-awesome outcomes for everyone involved. In this case of new protections, it is clearly happening. When security vendors commonly create distrust about competing solutions, organizations grow skeptical of the claims and benefits of the entire sector.

Proving a Negative

Demonstrating protection functionality objectively requires proving a negative — that the system cannot be violated. Proving a negative is generally pretty tough, but much more so in security, where there are innumerable threats with new twists evolving daily. The problem is exacerbated by a lack of consistency on the part of security reviewers and ratings providers. In the absence of a universally accepted testing framework, even relative rankings cannot help users distinguish among new offerings that claim to raise the level of protection.

The results of this are bad for everyone concerned. Organizations react by retrenching and deploying more of what they know, while delaying or rejecting the adoption of newer protection technology. When this happens, vendors lose time and new customers, while buyers lose the opportunity to acquire much-needed new defenses.

Supporting an Incremental Approach

The solution is for security providers to communicate clearly about the specific added protections that they provide. It may be defense against a new type of attack, a monitoring platform that can synthesize new messaging types or something completely different. Providing clarity offers the opportunity for a more beneficial security equilibrium because buyers can make decisions about their own needs for a mix of technologies without the disruption and second guessing associated with more confrontational messaging. This is in keeping with well-established security dogma, which has always maintained that there are no silver bullets and that no single solution will ever provide 100 percent security.

Overtaxed security administrators also benefit from this candor. Wholesale migration to a new platform requires the retraining of existing staff, new resources added during the course of the migration and the reimagining of existing processes to integrate a new set of capabilities. Once completed, this level of change will usually require rewrites of control and audit documentation to describe the new solution.

Efficient improvement of protection limits itself to just that, improving existing protections. In this model, additional protections, or areas of increasing investment, are integrated within existing processes and frameworks wherever possible, minimizing the disruption and retraining chaos that can accompany full replacement strategies.

A New Era of Openness

In the IBM Security App Exchange, additional collaborative security functionality can be added, ranging from endpoint protection to visualization and incident response. This type of incremental protection scheme allows a chronically understaffed security team to prioritize and improve protection at a pace consistent with the rest of its responsibilities.

This requires buyers to demand, and vendors to provide, a concise view of their incremental value and the value of their solutions in an integrated platform of the buyer’s choosing. In time, that will naturally consist of multiple approaches and should leverage analytics derived from information provided by disparate vendors. It will also require additional openness and clarity from vendors, but there is a unique opportunity to improve security and security adoption without unnecessarily calling into question years of previous security decisions and investments.

 |  |  |  | 
Jack Danahy
CTO and Founder, Barkly

More from Risk Management
April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature