Being Comfortably Numb isn’t good enough when it comes to integrating technical security controls
Hello…. Is there anybody out there?
This is the famous first line of Pink Floyd’s song “Comfortably Numb”. Roger Waters who wrote the lyrics, claims that the genesis of the song has to do with the delirious thoughts he experienced as a child while suffering from fevers. Others have speculated that the song is actually about drugs. Personally, I have no opinion on this matter, but I have enjoyed plenty of evenings at the planetarium during my college years listening to his music while watching laser light shows.
So, what does this have to do with integrating technical security controls into your environment?
Having delirious thoughts is characterized by restlessness, illusions, and incoherent thoughts. Yes, a bit extreme, but arguably similar to the feelings you may experience when tasked with researching technical security control… and how could it not be?
The business model at the heart of reselling products and services is completely antiquated so the burden is squarely on you to do these activities.
So, how did we end up here?
To answer that we need to look back about 14 years. At that time security was mostly an insurance program reluctantly adopted by the Information Technology (IT) organization. There were very few solutions available (compared to today) and the threat landscape was immature and not professionally organized.
As a reference, the first data breach of credit cards happened between 2005 and 2007. In this much simpler world, industry participants like Value Added Resellers (VARs), Security Integrators (SIs), and analysts (like Gartner) provided their customers with high-value information and integration services to help them decide on the best solutions to deploy. With a limited number of solutions provided by mostly larger security manufacturers, the system worked well and filled a gap in the market.
Now, let’s fast forward to today. We’ve seen over the past decade or so, a massive amount of new cyber-attacks. They’re now coming from highly sophisticated threat actors targeting a much broader set of organizations. This has resulted in a radical change in the market.
Now, most organizations have a dedicated security team as breaches have escalated both in intensity and cost. Innovation by new IT security vendors and service providers is skyrocketing to meet new demands. The government has made Cyber a fifth warfare domain, and we see endless references to cyber security in popular TV shows and movies. Sounds like job security and an opportunity to be the “cool person” at the party…. Well, not so fast.
The gotcha is that the need for IT security has grown so fast that the industry cannot keep up with the demand. Meaning that security professionals are working way too hard since resources are scarce. So forget having time to go to those parties.
Services around reselling products are out-of-date
In stark contrast to all of these changes in the market, are the services associated with reselling security products and services. Remember the VARs and Analysts that provided useful information fifteen years ago? Well, their business models haven’t changed one bit. Some of this is their fault for being asleep at the wheel, but customers have some responsibility in this as well.
As a whole, long ago people on all sides of the market labeled solution reselling as a low-value activity, and the moniker has stuck. This has redirected the attention of VARs and SIs towards what they consider higher value services; leaving solution recommendations to a “best efforts” activity.
As far as 3rd party analysts, including peer review sites that produce reports about security products, they provide very little value for most companies. After all, the process of security integration needs to account for customer-specific interests, such as environmental compatibility, critical system integrations, compliance requirements, budgets, and even their culture.
Reading a paper about the perceptions of an analyst on which technologies are best, is a very narrow and myopic view that has little to do with the reader’s actual considerations. Not to mention, there may be other bias that also creeps into the analysis, but we will leave those out of this discussion.
A new solution is needed
This brings us back to where we started in the blog. When it comes to deciding on the right technical solutions for your organization, the responsibility is on you. With an already maxed-out schedule, this process becomes very cumbersome at a time when making fast, risk-based decision is more important than ever.
Many of the CISOs and CSOs in our community talk about IMPLEMENTATION RISK as being a key issue for them. This is the risk associated with deploying technical security controls to satisfy business needs. As their role moves into the realm of risk management, there is a heightened sense of scrutiny on this, which is driving new behavior.
These security leaders are looking for third-party validation, data metrics, and peer reviews to help lower this risk. For IT security teams this means; more work, late nights, tons of research material to scrutinize, and delirious thoughts as they sift through marketing messaging and industry hype. Which brings me back to Roger Waters’ famous line “Hello… is there anybody out there?”
The answer is “YES”, we have been working hard at innovating an approach that meets the need of today’s digital businesses. To learn more about it, check out our Connect page.