There is a dull hum permeating the industry of late – security is dead some say, others think it to be too costly to maintain, others still believe that what is needed is a change of perspective, perhaps a radical shift in how we approach the problem. What underlies all of these positions is a belief that the status quo is woefully ineffective and the industry is slated for self-destruction or, as a whole, we will succumb to a digital catastrophe that would have been avoided if only we had just…well, just done something different from whatever it is we are doing at the time something bad happens.
As we go round and round on the never ending hamster wheels provided as best practice guidelines by security vendors, consultants, and pundits, we find ourselves trapped in an OODA loop that will forever deny us victory against malicious actors because we will never become faster, or more agile than our opponents. But to believe one can win, implies that there is an end that can be obtained, a victory that can be held high as a guiding light for all those trapped in eternal security darkness. We are as secure as we need to be at any given moment, until we are no longer so – when that happens, regardless of what you may believe, is outside of of our control.
So then why should IT spend on security? What would motivate one to reach back into their budgets and spend on something like DLP, or NAC, or SIEM, or a next-generation firewall/IPS/lawn-mower/coffee-grinder/desert topping/floor-wax?
Before we can answer that question, let’s first look at what doesn’t drive an organization to spend on security
- A desire to do the right thing to protect employees and customers from potential harm resulting from a breach does not drive an organization to spend on security, unless the organization is run by hippies, and it is 1968, and Berkeley is the capital of the US, and the company sells marijuana-laced smoothies.
- A belief that increased spend on security and the latest widgets will differentiate the business in a competitive market doesn’t drive an organization to spend on security because no one really believes that it will (and they’re right, it doesn’t)
- Security as a business enabler doesn’t drive organizations to spend on security, because security doesn’t really enable the business to increase the bottom line and quite honestly that is the only business enabler the guy with the purse strings cares about.
- ROI doesn’t drive organizations to spend on security, because there generally isn’t one/any (here)
- Attempting to stop all bad things from happening doesn’t drive an organization to spend on security because they can’t and they know it
- Grumpy, security curmudgeons that tire at the stupidity of upper management and the lack of insight that is common knowledge among the security-elite, or the securiati as they are also known, doesn’t drive organizations to spend on security.
What does drive an organization to spend on security?
- A security incident will drive an organization to spend on security and to ensure that exact incident doesn’t happen again. But it does, generally with only slight variability from the original, so technically it will be argued as being something different all together
- A compliance or regulatory initiative, such as the recent OMB mandate for FDCC (here), or PCI, or SOX, can drive an organization to spend on security, but we all know that being compliant doesn’t really mean one has done anything to improve their security posture.
- When security crosses the chasm and starts impacting availability then an organization will spend on security, not to be more secure, but to ensure availability.
Now I know that someone is going to mention that organizations will spend on security to ensure confidentiality of data, and I suppose one could make such an argument, but if that were true then encryption, especially at the database and application layer, would be the hottest thing since Joanie loves Chachi and breaches would be non-existent since all that confidential data would remain confidential. Same goes for integrity.
So most organizations will spend on security as a result of a security incident, or because they are compelled to as part of a compliance, or regulatory initiative, or because availability is threatened. If that is true, and I would argue it is, then is it any wonder that we are all so disenchanted?