Admitting to Security Failure
As security spending continues to increase, and keeping systems secure becomes more complex, solution providers need to buy into a more well-rounded approach to helping end users
By Larry Walsh
I’ve been following security technology and trends for the better part of the past two decades. I’ve seen security products and companies come and go. Every year, a wave of new companies hits the market with shiny boxes and complex applications designed to close the gap on threat exposure. Every year, security is noted as a top business priority. And every year, security spending increases faster than general IT spending.
Last year, security spending topped $70 billion. For the decade, 2011 to 2020, security spending will increase at a rate of 8 percent to 9 percent annually – nearly twice the rate of general IT. And by 2020, security spending is expected to top $140 billion annually. And yet, despite billions upon billions of dollars spent, security breaches continue to increase, and so does the damage.
According to the Identity Theft Resource Center, known security breaches resulting in personal data-record compromises – mostly credit-card records – increased 97 percent in 2015. A tally of compromised records topped 300 million last year. And none of this speaks to the massive volumes of stolen intellectual property and sensitive operational data.
Security is a problem that affects everyone – individuals, small businesses, enterprises, and governments. Everyone is well aware of the threat and risk exposure, and most understand that there’s no simple answer. Yet security is often given short shrift, particularly by the companies – vendors and solution providers – that sell security products and services.
Security is a discipline based on 4Ps – people, policy, process, and product. Yet the security problem is so bad that we need to add a fifth P to the paradigm: prayer.
Yes, prayer. We may need to seek divine protection from the evils of the Internet and malicious users as we have limited guarantees that any of the security products or their supporting services will safeguard our businesses against catastrophic events. Worse, consumers need prayer as the security community – vendors, evangelists, and resellers – often present them with conflicting solutions, messages, and guidance.
While security vendors often speak about selling holistic systems – often following defense-in-depth strategies – they default to prioritizing unit sales. They are, after all, in the business of selling products. They can’t compel end users to buy complete systems, so they must do what’s right for them to remain viable.
Resellers, on the other hand, need to rethink their approach to security. Vendors are only part of the security paradigm – mostly product – so they have a limited role. Resellers, systems integrators, and MSPs can play multiple roles across the 4Ps, providing customers with guidance, technology, and support that reduce operational burdens and increase security effectiveness.
Some people will say the channel needs more security training. That assertion is only partially true. The security segment is replete with collaboration groups, standards, best practices, certifications, accreditation, assessment methodologies and tools, and resources for facilitating good security. What’s needed is a better economic argument for incenting partner engagement. It’s not that solution providers aren’t aware of these resources; it’s that they’re not fully cognizant of what they get out of engaging.
Security vendors should encourage partners to engage in a breadth of security practices by honing their understanding of security methodologies that result in the more practical application of processes and technologies. Encouragement should come in the form of an economic argument, as depth of knowledge and skill requires an investment. And that investment will pay out, provided partners see a path forward.
The 2112 Group is a firm believer in the application of security practices over technology. Technology is a means to an end, but the process in the form of well-rounded practices is the carrier and catalyst. Let 2112 help you and your partners find a better security path forward. We can provide the training and guidance required for a more secure future.