Technology is Not Our Problem
The Security Vendor Space is Extremely Noisy and Increasingly Out of Touch With the Needs of the Enterprise
Recently, I’ve returned to working on the enterprise side of security after five and a half years on the vendor side. Getting back to the enterprise side feels quite good. It’s very comfortable for me, as it’s where I’ve spent the majority of my career.
Aside from comfort alone, being back on the enterprise side is great for many other reasons as well. I’d like to make some of those reasons the focus of this piece. Diving, once again, into the day-to-day security challenges that confront an enterprise has reminded me quite starkly of several things:
1. Modern enterprises and their security programs are remarkably complex
2. Addressing gaps in the security program is less about technology and more about people and process
3. The security vendor space is extremely noisy and increasingly out of touch with the needs of the enterprise
4. Advice and guidance tend to be too abstract and difficult to operationalize
5. Reporting, metrics, and communicating the value that the security team provides remain a significant challenge
6. The regulatory environment is increasingly complex, pulling resources away from other important security functions
At first glance, it would appear that the state of security hasn’t advanced much in the five plus years I was on the vendor side. This can seem disheartening and discouraging. Despite all of the money pumped into security on an annual basis, many of the same issues and challenges persist from year to year.
Upon further inspection, however, I believe that the situation tells a different story. The story I see is one of maturity and progress as an industry that have brought us closer to our goals. Of course, we still have problems that need to be solved, but contrary to what we’re being inundated with on a daily basis by our vendors, technology isn’t our problem. How so? Allow me to explain.
1. Complexity: For those of us with experience working in enterprise security programs, it will come as no surprise that they are complex. What I’ve noticed, however, is that the complexity has increased significantly over the last several years. The array of functions and initiatives that the average security team is involved in is staggering. The architecture and ecosystem that the security team is confronted with are overwhelming. This complexity, in turn, introduces gaps in the enterprise’s security posture that need to be addressed. Perhaps surprisingly, it isn’t for lack of technology that these gaps exist.
2. Gaps: Naturally, gaps in an enterprise’s security posture require attention. In recent years, however, the scope and variety of the gaps an enterprise faces has increased significantly. Gone are the days of a simple mapping between gaps and the technology required to fill them. We aren’t wanting for technological solutions per se – there are plenty of them around. In fact, many organizations already have enough technology in house that can be leveraged to solve problems. So what’s missing? Understanding how to properly leverage that technology together with people and process.
3. Vendor Space: The security vendor space is remarkably crowded. Many vendors use the same language, claim to solve the same problems, and say that they operate in multiple different markets. Even for a seasoned security professional, it can be difficult to make any sense of it all. There is one thing, however, that’s missing from nearly every vendor’s approach. Vendors try and sell their technology into the enterprise, but what they don’t often realize is that the needs of the enterprise are very often orthogonal or tangential to what vendors are marketing. There are some good security vendors with some impressive technologies out there, but if they think they’re going to come to the table overconfident and calling the shots, they are in for a rude awakening. Their solutions just aren’t that unique anymore, and even if they were, they won’t get the job done alone. The focus in the vendor space needs to be first and foremost on understanding the existing complexity of the enterprise and subsequently on snapping in to it.
4. Advice: I suppose it isn’t very hard to come by advice in life. Good advice, however, is something else entirely. Many security consultancies have some interesting ideas and novel approaches. Unfortunately, where I often see advice break down is on the bridge from theory to practice. In practice, there are often complicating issues, external factors, and extenuating circumstances that make it impossible to apply textbook advice. For the modern enterprise, sound security advice comes with a keen eye towards practicality, pragmatism, and operations. It is easy to be an academic and pontificate. It is much harder to slog through bureaucracy towards a meaningful solution.
5. Reporting: The efforts of a security team can all too easily go unnoticed. After all, security is a field in which no news is good news. In other words, if a security team is doing its job well, nothing ever happens, and when it does, it’s quickly and efficiently contained and remediated. Given this, it’s easy to understand why it’s often difficult for executives to understand the value that the security team brings and what various different security resources are needed for. So you can imagine my surprise at the abysmal reporting and metrics capabilities that most security solutions offer. If I buy your technology, it should be easier for me to communicate the value that my team provides, not harder.
6. Regulation: The number of regulations that a security team is forced to contend with seems to increase on a yearly basis. It may not be fun, but it is increasingly part of life in the security field. With increasing regulation comes increasing strain on valuable security resources. A resource working on regulatory issues is one that cannot address other challenges. This seems to be something that many vendors aren’t quite aware of either. If I have trouble understanding and communicating the problem your technology solves and the value it brings, it’s hard for me to get excited about it unless it directly addresses a regulatory issue for me.