Should security people doubt themselves? Or does that make us seem wishy-washy and weak? Is that why we continue to pursue the goal of Perfect Security with such single-mindedness? Or are we just protecting our own investments?
At the risk of shocking the security world, in my keynote address at the 2007 RSA Conference, I said that the industry’s approach to security isn’t working anymore. I looked out at a sea of somber security experts and told them that the value of stand-alone security solutions-–traditionally “bolted-on” to applications, after the fact-–is diminishing. That, with the exception of a few innovative start-ups, there will be no stand-alone security business three years from now.
In truth, I could hardly believe that I was making this pronouncement. Am I really predicting that the security market that I helped build has reached the “evolve or devolve” phase? Have I given up the pursuit of Perfect Security? Indeed I have. And so should we all.
Perfection is a distraction
Perfect Security is an illusion. Worse, it is a distraction that wastes time and resources. Does this mean I’m advocating for imperfect products? Hardly. I’m advocating for aligning security to the value of the information that we are charged with protecting. And I don’t mean “information security” because, as things stand, that’s a complete misnomer, too.
Our security industry is becoming the short leg of a three-legged stool. The other two legs–our customers and the criminals–are changing much faster than we are adapting.
Let’s consider the criminals. They used to be mostly show-offs and malcontents, looking to display their intellectual prowess and beat the system. Today our nemesis is motivated less by ego and more by greed. IDC estimates that the black market for procuring fraudulent identities is approaching $1 billion. Identity fraud, pretexting, social engineering–they’re all extremely profitable activities. With profit-minded, professional criminals now on the other side of the firewall, how safe do you think we can make our information assets using legacy approaches to protection?
Which brings us to the customer. In only the first six years of the 21st century, more information was created than had been since the dawn of time. Most security people hear those figures and think: “Higher walls! Deeper moats! Extend the fence-line!” And that’s where our single-mindedness becomes our undoing, and our leg of the stool begins to wobble.
Information is the greatest asset companies have. If we try to shackle information, we will stunt the growth of the businesses that we are trying to protect. We don’t want to be the ones to stifle those opportunities by erecting higher and higher walls.
We are embarrassed to admit it, but as security companies, we have become much more about imposing limitations than lifting them. The real quest should be to enable and accelerate new ways of doing business by providing security that is inextricably linked with business strategy.
As an industry, we need to get our minds around the fact that, in a dynamic world, information is never static. It won’t stay behind the walls we put up. And if it does, that just means that we limit a company’s ability to extend its supply chain, or expand sales channels, or reach out to customers.
If we thought less about security threats and more in terms of business opportunities, we’d be on our way to transforming ourselves. Does the pursuit of Perfect Security have a place in this model? Absolutely–the more valuable the information, the closer we need to get to perfection.
When we focus solely on implementing technologies, we often lose sight of what we really want to accomplish–reducing the risk to highest-value information. We’ve thrown everything we have at securing the perimeter around the information, but rarely do we protect the information–the vital information–itself. According to IDC, organizations spent about $38 billion on security in 2006 alone. Yet fewer than one in five companies actually believes that its data is safe.
Think principles, not products
Principle No. 1: Static solutions aren’t sufficient for dealing with dynamic information needs–or dynamic attacks. We need dynamic security built into our information infrastructure. The IT infrastructure and IT security must come together in a more tightly knit way.
Security cannot be just about firewalls, anti-virus, intrusion detection or encryption. Static technologies like these are simply security basics. Consider encryption. At the proper key length, and with good accompanying key management, encryption is a “perfect” security application. The catch is that very little information is actually encrypted. It’s too costly, and we haven’t yet been able to classify and tag the information of highest value or at highest risk.
Information has this nasty habit of always wanting to travel, and it doesn’t always want to be at rest where you can encrypt it. How do you protect the flow of the information when it’s in use? On to…
Principle No. 2: Security must be adaptable–and always alert.
We’ve mastered pattern-recognition technology to identify people. Why can’t we apply similar technology to identify flows of information? Why can’t we create policy-enforcement engines so that when we spot anomalies we can automatically stop information from flowing?
We need to build pattern recognition directly into infrastructures, so we can recognize the anomalies of potentially criminal or inappropriate behavior and, at the same time, make it easy and unobtrusive for users. We need to be able to audit data continually as it travels across servers, networks, storage and applications within and outside our walls. And as it does, we need to stay on alert and enforce policy, based on the inherent risk to the information or of the transaction.
Stronger access control can also be implemented, based on factors such as patterns of usage, time of access and volume and value of data. We can look at all of these attributes based on risk or anomalies and stop the information at various points along the way with policy-enforcement engines.
Principle No. 3: Defense in depth simply means proactively understanding the risks that surround us and ensuring that there is no single point of failure in the protection approach we deploy.
Because it requires multiple defense mechanisms–and companies–working together, defense in depth has been slow to materialize. However, now that the stakes are higher–nothing less than the success and survival of the security industry–we have a darn good incentive to look beyond our own silos.
We’re mostly fighting the same criminals, right? So rather than fighting them on our own, it makes much more sense to work together. Intelligence sharing would mean that our enemies could no longer isolate a specific business, attack it and hope not to be noticed. Every business would not go through its own new learning curve, or have to endure several attacks of its own before unmasking a new one.
To close, then… We chase threats today just as Ahab hunted the great white whale. But we can do better than that. By being adaptable, integrating security into the IT infrastructure, thinking in layers and working together, we can weave a new kind of security net that will thwart malicious profiteers more successfully. And, in so doing, we will be facilitators of business growth and genuinely help to open doors to a wealth of new possibilities.
