I spent some time at Black Hat this week and was both impressed and scared by the tenor of the discussions around security—or the lack of it—in our national infrastructure, our computer systems, and even our smartphones. For example,Trustwave SpiderLabs has published some disturbing statistics: 84% of organizations that have been hacked or victimized by malware were not able to detect the breach themselves, the average attack goes on for 173.5 days—nearly six months—inside a victim’s IT environment before being detected, and 89% of breach investigations focus on customer records.
Why is security so poor despite the tens of billions that have been spent on it over the past couple of decades? Other than the obvious answer of the bad guys getting smarter, another explanation that explains at least part of the problem is the lack of proactivity with regard to security inside many organizations. The founder of a leading security company with whom I spoke at the conference (I’m not sure he’d want me to use his name) attributes it to a combination of politics, passing the buck and incompetence in many organizations. In government organizations, the lack of accountability and repercussions (you can’t sue the government) is an additional factor.
For example, the CISO will often view security as painfully and unnecessarily impacting his or her budget and so won’t take the necessary steps to combat the problem. The CFO who could approve the necessary budget often does not understand the issues or risks involved. Many in IT believe that being proactive about security is “above their pay grade,” and so they don’t work to improve security. For those in IT that do understand the problem and are willing to do the work necessary to apply patches to improve security, senior management will sometimes call them on the carpet for the increased downtime that results from the increased number of security patches.
As much as organizations may not be proactive about security, they certainly are reactive—for at least six to 12 weeks—following a major data breach. Wallets are opened immediately following the breach or other security intrusion and spending to remediate the problem abounds. However, after the shock of the breach has worn off, the status quo reemerges until the next major security problem. The individual with whom I spoke has seen organizations breached up to five times in a year because of this cycle of no proactivity followed by temporarily intense reactivity.
One of the keys to solving the security problem is to fight the natural human tendency to address problems only after they have occurred. But is overcoming human nature in the quest to protect our infrastructure and our data assets even possible? I’d appreciate hearing your thoughts about this.