A couple of recent analyst reports tout significant growth in the information security market. But will that spending make organizations any safer?
According to a story in The Register, Gartner predicts global spending on information security will hit $75.4 billion this year—up 4.7 percent.
Meanwhile, research firm Infonetics said the worldwide security market grew 13 percent from 2014 to 2015, and called out double-digit growth for Cisco, Check Point, Fortinet, and Palo Alto Networks.
That’s probably happy news to venture capitalists and shareholders, but will organizations actually reduce their risks? Will they measurably improve their ability to protect systems and information, or respond more quickly and effectively to an incident?
I think it’s unlikely.
The lack of return isn’t necessarily due to shortcomings in security products (though shortcomings certainly exist). Even as new security technologies come to market with novel solutions, four security fundamentals haven’t changed.
1. Attackers Have The Advantage
In information security, attackers only have to get something right once. If exploit A doesn’t work, they move on to exploit B. By contrast, defenders have to get it right every time. Those are terrible odds.
Attackers also have multiple ways to come at you. Even if your organization’s internal systems are locked down tight, they can compromise outside Web sites that your employees visit, or infiltrate a business partner’s systems, or find a zero-day in software that your company uses, or get malware on an employee’s mobile device.
Given the number of avenues of exploit, it’s nearly impossible for an organization to maintain robust controls on every one of them.
2. You Have End Users
People want to do their jobs. They need to access information and applications; share things with people outside the organization; and get work done at the office, at home, and on the road.
That kind of pervasive access is hard to manage, even for dedicated security professionals that have the full support of executive and business leaders. If you make controls too onerous, people find a way around them.
People can also be tricked. Even security-aware end users aren’t immune to phishing schemes or links to compromised Web sites.
3. Old Security Products Don’t Die, They Just Get More Brittle
New security technologies rarely supplant old security technologies. The new ones just get added to the stack. And each new layer requires management, updating, and monitoring, and adds more noise to the system.
Meanwhile the older layers grow technical debt like reefs grow coral. Firewall rules get more complex and arcane as admins come and go. AV and IDS signature sets get more bloated. Patches for known vulnerabilities get pushed to the next maintenance cycle (and then the next). And whether or not these tools are effective, they feed the compliance beast.
4. Security Needs People, Not Products
Security costs money, but it doesn’t directly contribute to the growth of the business—at least, not in the measurable way salespeople or new stores or product developers do.
Thus, security will always be at the mercy of the organization’s primary goals: to cut costs and boost profits. And that affects how organizations spend on security, which in turn usually means paying for things instead of people.
This is a gross oversimplification, but security is basically about change. Did something change in my network or on this system? If so, what does that change mean?
Machines are very good at identifying change. They are less good at interpreting it. What you need, in addition to tools, are smart people who have detailed knowledge of the organization’s business systems, risk, and goals, and who know what to do with the information presented to them by the tools.
Unfortunately, it’s often a lot easier, and less expensive, to buy a hot new piece of hardware that promises to whack moles 50% faster than last year’s model (especially if it lets you check a compliance box), than it is to invest in and train human beings to figure out what to do with all the critters that weren’t identified as moles by the machine.
More security spending on things doesn’t necessarily mean better outcomes for customers.