The Uncomfortable State of IT Security (War, Germs, and Horror)

IT security is a pain. A pain in all senses; in terms of money, in implementation, and in terms of the fact that no matter how much you work at it, your chances to completely repel a sophisticated and determined attack are not that high for the return value.

It’s a prerequisite to have security, but by itself serves no purpose until an attack. It’s similar to a defence budget in that regard: during peacetime hippies marching with picket signs that say “What about the children?” seem to make sense, but on the day that war comes if you are not spending, you will certainly end up paying.

Worse still, there are no “nuclear options” that can guarantee even a modicum of safety; the germs are becoming more resistant and are multiplying (if you will excuse the mixed metaphor).

The dreary words above have a number of implications and explanations. Let’s start with the explanations, best summed up by Keith Weiss, Morgan Stanley’s lead analyst for the software sector: “In our view, a massively expanding surface of digitized assets in both commercial and consumer realms sustains strong demand for security.” What that means is this: the more digital our world becomes, the more our need for security increases. The surface area that is prone to a cyber-attack is becoming increasingly large: everything from uncontrolled security cameras, to WiFi enabled thermostats.

In part, this is why a security conscious enterprise may seem a bit like a fortified medieval castle preparing for a siege. Moats, garrisons, murder-holes and all. Large enterprises can be procuring security products from up to 15 – 20 different vendors, where each represents a specific niche that requires specifically trained personnel. Somehow, someone has to oversee all of this. Needless to say, this personnel does not come cheap.

Interestingly, while it is true that enterprises may face more attention from cyber criminals (why hold up a diner when there’s a bank next door?) the increasing accessibility of technology, and its importance in enabling core business processes, means that even SMBs have a target on their back.

Now, the implications. These are rather complex: on a basic level, security vendors should think twice before celebrating the current “viral” status of their industry. The marketing message that this presents is not in the least bit palatable: “Pay us, or else.”

Just the same way that Cassandra did not garner much support in Troy, spreading a message of Doom and Gloom and Impending Apocalypse is not likely to stir the rosy cheek’d of enterprises into action. By the time their customer’s personal data is being sold on the dark corners of the internet these same enterprises will be, figuratively, six-feet under.

And it’s hard to collect a paycheck from the dead.

It is for that reason that the marketing message around security should be also about enabling something rather than just preventing.

On a business level, we can clearly note a shift from product sales and implementation to services and processes. Good general hygiene (in the security sense) is becoming just as important as having a suite of software security products and firewalls. This means audits, certifications, and engagements led by security consultants are status quo. Partners will soon see growing fleets of skilled professionals that utilize a variety of diagnostic and automated management tools.

Their ability to make correct investments into correct personnel, their ability to automate and standardize consultative engagements will determine the overall sustainability and scalability of their security.

There is a demand in the market for managed service providers to tackle their end customers’ security challenges. At the moment there is a definitive lack of resources and sophistication among MSPs to provide a holistic cybersecurity support service. As noted by articles in TechTarget that quote a survey of MSPs by Kaseya (2016):

· 90% of respondents offer patching updates

· 72% offer desktop security

· 64% offer audits and discovery

· 34% provide identity access management

Not all MSPs will immediately be able to provide holistic security service to their end customers. It seems that the majority will work towards increasing the variety of security services that they are able to deliver in line with the end customer demand.

From the vendor perspective this implies some rebalancing in terms of their programs, shifting away from trying to determine partner behaviour through financial incentives and instead focusing more on the developmental features of their programs: partners’ certification and establishment of good security hygiene, as well as integration of various cyber security products into suites that allow for automated management.

It can easily seem that the cybersecurity threat posed by state and private persons presents an overwhelming challenge to the whole “digital community”, with the latter finding it hard not only to keep up with the increasing array of dangers themselves, but also with the management of the various defenses aimed to counteract those dangers.

This uncomfortable state of IT security cannot persist forever. Both the IT infrastructure vendors and legislation are taking steps to strategically change the situation by providing greater built-in security at the platform level and increasing regulatory controls.

However, it is only up to the security vendors and their partners to articulate the value that they can provide in the long run and devise ways in which they can deliver it. The vendors will sell us the brick and mortar, and with their help, we will build our castle.

#OpinionPiece