Humility, Accountability And Creative Thinking Can Fix IT Security

The state of cybersecurity has reached full-blown systemic failure. The narrative goes something like this: Companies are spending massive amounts of money on technologies that don’t seem to be living up to their marketing messages. According to Gartner, $80 billion will be invested in IT security products in 2015 alone.

Yet breaches persist. Anthem. Ashley Madison. Sony. The U.S. Office of Personnel Management. In most cases, the security teams at these organizations were using products in the upper right corner of the analyst firm’s myriad IT security market Magic Quadrants. They were following industry standard practices.

While it’s always easier to point out the problem — and every vendor is doing it in spades right now — I believe a solution is within reach. Here’s why.

Several psychological, technological and market shifts are now intersecting with a more accountable, collaborative and trustworthy security ecosystem in mind.

Putting A Bullet In “Silver-Bullet Syndrome”

Innovation is central to the solution. But innovation isn’t just about technology. Systemic change requires a mix of new technologies and human creativity. Moving beyond “silver-bullet syndrome” — the notion that any single technology or grouping of products will eliminate all risk — will minimize blind spots by creating a security mindset that’s not in search of a Holy Grail technology.

The most secure businesses in the world have by design built security into their products and trust into their brands, always evolving their offense and defense and dismissing the old adage that nobody ever gets fired for investing in status quo solutions. Boeing. Deloitte. General Electric. Visa. Security is not a feature within these companies’ products, it’s a central brand attribute. It’s in their DNA.

As more companies continue to approach security as a core value versus a bolted-on afterthought, the silver-bullet marketing techniques that are commonplace among product vendors will fall on deaf ears.

Humans Versus Machines

Spend a few minutes on the websites of major security product vendors and upstarts alike and you’ll see much shouting about the promise of machine learning and artificial intelligence (AI). Security providers are employing smart machines to process massive amounts of data from PCs and other devices to recognize patterns of good versus bad behavior.

The irony is that businesses probably need their own pattern recognition experts to weed out the real solutions from the marketing speak. According to IT security expert Simon Crosby, “AI is the security industry’s latest pipe dream.”

This is because cybersecurity will always require humans to hand-pick subtle anomalies that could be most catastrophic. Rather than get pump-faked by the unproven promises of machine learning and AI-based security technologies, Crosby urges businesses to invest in their experts, and tools that enhance their ability to quickly identify and disarm the next attack.

Albeit overly hyped, machine learning represents tremendous promise. But so long as humans are engineering targeted attacks, a human component will be a central part of the solution. Ultimately, smart humans and smart machines will be required to outsmart cybercriminals. This is why FireEye acquired Mandiant’s cybersecurity forensics team for $1 billion.

Newer companies leveraging machine learning and AI worth watching include Exabeam, Securonix, SentinelOne and Sumo Logic, whereas more established players like Lookout, Rapid7 and Palo Alto Networks are also investing heavily in this area (based on their job boards).

Security Needs To Evolve With The Shift To Cloud And Mobility

Cloud usage inside businesses is exploding, yet it’s still in its infancy. The average enterprise used 755 cloud apps in October of this year; more than 1,000 cloud apps for technology, IT services, healthcare and biotech companies. Because employees will continue to access data-laden cloud apps via their mobile devices, both shifts are tightly coupled, and the mobility security problem is about to snowball.

Most businesses haven’t adapted their security systems at nearly the same pace to address changing IT infrastructures and human behaviors at their organizations. Amazon Web Services, for example, is expected to top $7 billion in revenue this year, further signaling how quickly this shift is taking hold.

And yet, while everyone acknowledges a shift to cloud, we’re still in the very early innings. Consider this: By 2018, only 27.8 percent of enterprise apps will be SaaS-based, according to IDC. As a result, Kevin Mahaffey believes most of the existing IT security systems will be replaced over the next several years.

Forward-looking businesses and investors are banking on technologies to get better visibility and control over the mobile and cloud tsunami that is shaping up. Mahaffey’s company Lookout has raised nearly $300 million. Infrastructure security startup CloudPassage has raised $90 million amid the shift to public and private cloud environments, and endpoint security startup Tanium recently raised $120 million on a $3.5 billion valuation.

According to CB Insights, more than $2.3 billion has been invested in IT security this year (so far), on track to eclipse last year’s $2.5 billion. A new Exchange Traded Fund (ETF) focused on cybersecurity even hit the public markets this year — ticker symbol HACK — and is loaded with public and private investments focused on solving security amid the shift to cloud and mobile computing.

Identity Will Become The Central Layer Of The New Security Stack

As mobility and the cloud make enterprises truly borderless, protecting endpoints, cloud apps, networks or email requires a standard way to manage user data created by the explosion of different devices, systems and human workflows. This situation is changing the role of identity, shifting it away from pure access management to a foundational layer of the modern IT security stack.

While companies like Ping Identity and Okta are leading the way for large enterprises and SMBs, respectively, effective identity-centric security requires the identerati to work together. This is the idea behind the recently launched Identity Defined Security Alliance, created by Ping, Netskope ThreatMetrix and VMWare, “to make identity the linchpin of CIOs’ security strategies, keeping their data safe by making it accessible to the right people at the right time.”

Information Sharing Is The Future

When it comes to searching for a solution to cybersecurity, there’s a lot we can learn from the decades-old open-source movement. While opening up the ecosystem through vulnerability-sharing marketplaces (also known as bug bounty platforms like HackerOne and BugCrowd) exposes the system to bad actors, the collective wisdom and positive will of the security research community is infinitely more scalable than the status quo.

However, well-intentioned policy makers are undermining those efforts. A voluntary arms agreement among 41 participating countries, called the Wassenaar Arrangement, threatens to hold back progress in the security industry’s information-sharing movement. According to Katie Moussouris: “The entire Internet ecosystem and everyone who uses technology will suffer the chilling effect [from legislation like Wassenaar] on research and advances in defense.”

Breach Insurance Is Not Accountability

In the wake of so many exploits, breach insurance is becoming one of the most lucrative segments of the insurance industry. In fact, Warren Buffett entered the market with two new policies earlier this fall. While large corporations need to reduce liability, breach insurance is a very dangerous concept. It signals to top brass and board members that their time in the headlines is inevitable; that it’s okay to get breached, because financial loss will be minimized.

While businesses need to reduce liability, that can’t happen at the risk of dodging accountability.

Companies need to be accountable to shareholders and customers victimized by data breaches. They also should demand accountability from the vendors from whom they buy security products. In a climate in which hundreds of security product vendors are making billions, isn’t it ironic that so few offer money-back guarantees to companies who experience breaches through their technology?

In fact, only one vendor today, WhiteHat Security, offers a guarantee program like this, offering to refund customers in full if a website using their technology is hacked. In 2016, expect to see those vendors with great technology certify their products with money-back guarantees.

A Brighter Future?

In a world where everyone knows cybercriminals and cyberterrorists are prevailing, and where we have the means to turn the tides — financially, technologically and in sheer numbers — will 2016 look any different?

Only time will tell — but I believe the good guys are well positioned to stage an epic comeback.