The past few years have shown a drastic increase in the commercialization of the information security industry. Companies struggling to remain competitive in their markets, turn to technology as a means to do it faster, better and cheaper. The more these companies rely on technology to enforce their bottom line, the more exposed they become should there be any type of technology failure. The events of 9/11 and the increased outbreak of malicious worms over the past 24 months have made us painfully aware of what occurs when we are without our beloved technology.
Just as we have seen time and time again, increased awareness and focus within a specific industry, grabs the attention of venture capitalists, entrepreneurs and opportunists. Everyone moves to get their ideas to market. First to generally act in this process are industry leaders, people who have been fighting the battles for years, people who understand the real challenges at hand. In the information security industry these industry specialists were a combination of public sector leaders and governmental leaders (ex-military intelligence, ex-DOD, ex-CIA, etc). These individuals had a head start on the industry “opportunists.”
“Metoo-ism”
As a senior technology advisor for a venture capital firm, it was one of my responsibilities to ensure that I kept up with new technologies in the industry. In the fall of 1999 I attended the Internet World conference in New York City to do a bit of “technology scouting.” I was absolutely stunned by the lack of innovation that year. There were countless vendors selling their goods that were all like each other. There were literally hundreds of vendors peddling the same goods.
Anytime there is either a new industry or a new focus on an industry, entrepreneurial-minded people and opportunists will find ways to leverage their knowledge within thriving new industries. It’s like a free lunch at the buffet line. The combination of entrepreneurs, opportunists and market leaders makes for a wild foot race to see who can grab the most market share with their product or service. Volumes and volumes of marketing material is created. Sales pitches are created and honed in such scientific manners that it sometimes seems that more effort is put into marketing the product than creating the actual product.
Increased growth in technology as a business tool has caused a massive growth for the information security industry over the past 5 years. As with other industries this growth brings with it many new vendors to peddle their products. And because this is a new industry these vendors lack many of the ancillary factors that assist in choosing a vendor such as corporate brand, long track records or referencing customers or financial strength. Even with some of the larger companies that have security related products many of these products are in early generations and their value is still yet to be determined.
As with any industry it takes multiple iterations and generations of ideas, approaches and technologies before those key ideas, approaches and technologies rise to the top and show a track record of success. And this is true even for our ever-changing information security world.
Making sense of it all
And then there’s you. Mr. or Mrs. CIO, CTO, CSO or just the poor old “you deal with security” person. While your general responsibilities in the area of information security have not changed, you now get a complete bombardment of new technologies and sales pitches. People trying to sell you fixes to problems you never knew existed. Cool new technologies that you never thought possible are now available. Complete IDS networks that think and evolve and talk to firewalls. Honey pots that attempt to snag would be hackers. A seemingly never-ending compilation of gadgets, trinkets and services.
At the end of the day there is still only a certain amount of budget to go around and you need to make the most of your expenditures. Security at times tends to be very complex and overwhelming, the key is to break these complex scenarios down into smaller pieces and apply business logic to them.
Information security risk management in a nutshell:
1.) What are you protecting?
2.) What are the risks?
3.) What is the business impact if the risk is realized?
4.) What are the hard costs of the mitigating measure?
5.) What is the operational cost of the mitigating measure?
If #3 is greater than #4 + #5 then you have a good fit.
If #3 is less than #4 + #5 then go fish.
While there is a lot of information available on each one of these topics (asset identification and classification, risk identification, etc.) the point here is to identify a process and follow it and don’t get sidetracked by vendors, and be sure to factor in the operational cost of the mitigating measure you are implementing.
In the end, there is no information security silver bullet. No massive amount of industry data that you can look back onto to fix your problem. Information security companies are building products to solve every problem in the world. That does not mean that they are solving your problem.
The process never changes. Build your program on defense-in-depth strategy. Understand your problem before you shop for a solution, don’t get sold a solution for a problem that you don’t currently have.