The Coming Security Gold Rush and Pitfall
The Russian hacking scandal will likely trigger increased interest in security technology and spending. While more security spending is a good thing, thoughtless spending could lead to a backlash.
By Larry Walsh
I’m a security enthusiast. I started my tech career as a security guy, as editor of the top security magazine of the dot-com era. I did cryptographic and classified document security during my military service. And I still associate with some of the smartest security experts in the world.
So when industry vendors, pundits, and analysts say the Russian hacking scandal will lead to a security gold rush, I couldn’t agree more. And that also bothers me, as the results could prove meaningless and produce a backlash.
My security career was just getting started when 9/11 happened. The U.S. was already sinking into a recession because of the dot-com bubble burst when Al-Qaeda attacked, and the security community was feeling the pinch.
Six weeks after 9/11, I was sitting in the lobby of a Washington, D.C., hotel that was hosting a major security conference; I was having drinks with many security luminaries whose names you’d recognize today. Usually, someone from one of the vendors – flush with VC cash – would simply lay down a credit card and pick up the tab. Not this time. Instead, everyone looked around the table to see who ordered what. The check was split.
Nevertheless, the 9/11 attacks gave everyone reason for optimism. Al Qaeda used airplanes to take down the World Trade Center, but the government and private sector worried about cyberattacks. Everyone around that table was waiting with bated breath for the coffers to open and security money to flow freely.
A few dissenters, myself among them, weren’t so certain. The money would flow, for a while, but enterprises never like pouring money into a black hole – and security can be just that.
At the time, enterprises spent about $25 billion a year – less than 5 percent of their IT budget – on security. While they entertained meetings about new security technologies, they asked questions about why their previous investments weren’t sufficient. The spending spree quickly stalled. The money that did flow was to consultants brought in to fix existing systems.
Fast-forward to today. Businesses spend nearly $70 billion a year and approximately 8.5 percent of their IT budgets on security. To put that in perspective, security spending is nearly twice as much as spending on networking equipment (including wireless). And security spending is increasing at a rate of nearly 9 percent annually. According to Gartner, security spending could top $140 billion by the end of the decade.
In the wake of the Russian hacking allegations and U.S. imposing sanctions, security vendors have turned up the volume on the rising security opportunity. And they’ve got good reason to do this. Security is a big deal, but the world needs more guidance than products.
Here’s the situation: If you look at the big and high profile security breaches of the past year – Yahoo, Verizon, LinkedIn, DNC, and multiple government agencies – most were the result of phishing attacks. More than a billion records and e-mail accounts compromised as a result of someone clicking on a malicious link.
Can technology mitigate the risk of malware infections and phishing attacks that open doors to hackers and enable data theft – sometimes on a massive scale? Absolutely.
But can one careless user open doors to hackers despite that security investment? Absolutely.
My advice to security vendors regarding their go-to-market strategies with partners: Heed the following:
- Inform partners about what new technologies are making a difference and which technologies are obsolete.
- Don’t just talk about security systems. Enable partners to effectively sell and support multi-product solutions; synergistic systems are far more effective than any stand-alone point solution.
- Provide tools for conducting security assessments. Every security vendor has a methodology for evaluating a business’s security readiness. And make sure these assessment methodologies look at security policy and processes as much as security.
- Teach partners and customers to correlate security spending with risk exposure. Security is a black hole in which money disappears if spending is done without forethought. Only by measuring risk exposure and implementing appropriate controls will security spending produce a measurable result.
- Train on security awareness. The biggest security vulnerability in any organization is End users will do stupid things – often inadvertently – that compromise security. Vendors need to enable partners to help end customers understand security best practices and instill those lessons in everyone, from the CEO to the lobby receptionist.
- Enable security services to scale protection. Let’s face it: There’s a security talent shortage, and we’re not going to grow qualified professionals in petri dishes overnight. Security services have the potential to scale limited resources to provide real risk mitigation – particularly to midmarket and SMBs that can’t afford complex infrastructure and staff.
Blind spending on security rarely produces desirable results. Instead, businesses need measured and balanced security technology and processes. A saying made famous by security guru Bruce Schneier is apt: “Security is a process, not a product.” Let’s help partners provide better protection through a combination of policy, process, product, and people. Otherwise, we may find ourselves sitting around the table looking for someone to pick up the check.