Why You Need to Buy Security Differently from Managed Services

In many newspapers these days, one doesn’t have to read very far without tripping over the latest sensational article on a security breach. The black hat community conducting security attacks is incredibly well funded and incredibly sophisticated and our traditional firewall security precautions are woefully inadequate. The implications of this for companies are stark and robust. I think we must start with how we approach security.

The list of attacks is long and includes, for instance, Target’s customers, Anthem’s healthcare customer records, and the U.S. federal government apparently being penetrated by the Chinese. Behind all this is the frightening prospect of a highly sophisticated black hat community potentially funded by national governments in China and Russia and increasingly being in alliance with organized crime. The black hats are conducting security threats on a scale that is both mind boggling and deeply worrying – not only right now but even more so over times as the R&D effort of this community drives increasing levels of sophistication.

To date, we have approached security as a hygiene vehicle – one and done. We think about it in terms of firewalls securing our data center or making different layers of IT or technology architecture secure. We invest once to try to imbue our technology with a level of defense, and then we seek to spread that investment over the technologies; and we expect the cost to decrease as the learning curve goes down. The problem with this is that it cannot stand against the R&D effort and the rate of improvement in the black hat community.

Therefore, we must change our expectations and how we buy security. We must have a separate security tower in which the expectation is the cost will rise over time and we will invest ever more money and time into ways to counteract the growing black hat menace. The black hats are not constrained to attacking just one functional element of an organization’s service chain; therefore, businesses need an overarching security solution that secures everything. The consequences of not countering this threat are immense.

When we approach security as a hygiene vehicle, we ask for a component of security and monitoring in each technology function. Whether it’s a data center, applications, network, or other infrastructure, we use firewalls, encryption, or other tools and techniques to harden our environment and make it less vulnerable. That’s all well and good, and this should continue. However, this is woefully inadequate on its own with the increasing sophistication and threat from the black hat community. We cannot expect to be defended or even maintain our corporate responsibility if we assume that a hygiene approach is adequate.

It’s clear that we must also procure a different kind of security that is overarching and that matches the rapidly changing security landscape vulnerabilities uncovered and exploited by extremely well-funded and incredibly gifted black hats. We must realize that a hygiene approach to security will prove to be dramatically ineffective against the black hats’ innovation. And we must expect that the cost of an overarching security function will increase because of the need to constantly invest in our capabilities to innovate – and innovate faster – to counteract their threats.

We see the changing expectations starting to happen with the chief security officer in a role outside of technology and reporting directly to the CFO, CEO or board. But we have not seen the kind of budget and capability being invested into that function that are necessary to counteract the growing threat.

Furthermore, we have yet to see service providers providing a managed service to this new entity. The managed services they offer are based on the normal managed services principle of providing a constant service that will get cheaper over time as the learning curve and technologies mature. That’s the underlying theme of all managed services. That principle gets stood on its head in the context of security when the adversaries’ sophistication keeps rising exponentially. The cost of sophistication to counteract the adversaries must rise equally – which doesn’t work in the managed services principle.

Furthermore, no one firm can have the sophistication to take on the Russians, Chinese, organized crime mob, and the black hat ecosystem. That’s not a reasonable expectation for even the largest organizations. Therefore, organizations must turn to service providers that can aggregate customers in order to match the investment of the black hat community. The services industry must get together to defeat this massive threat to businesses, but managed service offerings are not the answer. We must innovate at the same rate at the black hats; thus a provider’s expectation of cost dropping over time is false because the learning curve will not go down.

Bottom line: The cyber attacks situation will get worse. All businesses – including service providers and their customers – must expect that their investments in security will increase to match the ever-escalating threats.


Photo credit: Flickr