The security industry is failing.
Not failing to make money, of course: Gartner estimates worldwide industry spending will more than double by 2020. The failure, our failure as an industry, is that breaches continue to outpace the investment. Last year alone, budgets swelled 24%, while the number of security incidents rose 38%, according to PwC. When an entire system is spending more money only to realize the problem is getting worse, the system is broken. And when the stakes are as high as they are — securing the infrastructure and businesses that power our way of life — the time for change is now.
The writing has been on the wall for years, often to devastating consequences, and last month’s news from Google Project Zero was the latest in a string of unfortunate cybersecurity news in which vulnerabilities were discovered far too late or valuable personal information was stolen at massive scale (e.g., the recent Wendy’s hack.)
So what’s a CEO to do? Step one is acceptance: you must come to terms with the fact that intrusions into your network are now an inevitable part of your life. The traditional perimeters around networks have dissolved, threat actors are faster and more sophisticated than ever, and the rapid pace of innovation exposes us to new cyber threats every second. But that doesn’t mean you can’t protect your data.
If step one is acceptance, step two is going back to basics and getting your house in order. The first question I ask when I meet with a CEO is “How many endpoints do you have on your network?” More often than not, if they even have an answer, they are off by thousands–or sometimes hundreds of thousands–because the technology they depend on to see the truth about the size and activities on their networks cannot scale to the size of modern networks. With the rise of mobile and connected devices, the number of network endpoints have ballooned from the tens of thousands 20 years ago to the tens of millions. Each endpoint, whether it’s a laptop, a cell phone, or a connected device, can really be considered an entrypoint to your network, and you cannot protect what you don’t know exists. The common threads of the recent major hacks are the back-to-basics cyber-hygiene problems of not knowing what is in your computing environment, the inability to limit who has access to that environment, and the difficulty of finding known vulnerabilities. Once you have full visibility into your network, you can shift from an antiquated prevention-based strategy to one of rapid detection and response. That’s the new paradigm for protecting your data.
Step three: let go of the promise of prevention like anti-virus. Prevention-based technologies were designed for a time when networks were considerably smaller. Anti-virus is a relic of the past — in 2016, attacks are coming 10x faster than anything AV solutions can offer. Essentially, you have no chance of combating a one- or two-month-old threat with 20-year-old technology. What’s more, threat intelligence data is not only incomplete, it’s often painfully slow, taking days or weeks to provide insight into what’s happening on your network. With a constantly changing IT environment and attackers able to compromise systems within minutes, the tools required to solve this problem need to provide visibility and control in seconds.
The news isn’t all bad. The market is beginning to respond, and the security world is experiencing a revolution from the inside. Many of our customers have shared that they are getting rid of anti-virus. Consolidation will be key to the future of IT management and security — at the company level and industry level. As customers consolidate their point solutions into a single platform, niche vendors will simply disappear, for the good of everyone. Let’s together hold accountable industry leaders who continue to promise customers that their problems will go away if they deploy an array of solutions and stitch them together themselves. It’s not only wrong, it’s immoral. We have a duty to set the path right in cybersecurity.