Greg Ferro is Co-Founder of Packet Pushers Interactive LLC. An emerging media company covering the technology market from the perspective of an enterprise customer. We had a chat with him about the IT security landscape and it’s challenges.
What is Packet Pushers?
Packet Pushers is podcasts for IT Infrastructure professionals who want know more and make the most of your time in the car or on a plane. Our hosts are real engineers, talk nerdy and get the discussion into technology and not marketing. We’ve been doing it for ten years, we must be doing something right.
Today we have a 7 podcast channels focussed on data networking and cloud markets. Check us out on Apple Podcasts, Spotify or your favourite podcatcher by seraching for Packet Pushers.
You’ve said that IT security is overrated , can you develop on that?
Security is about protecting items of value to us. For example, we live in houses to keep the weather out and provide protection from bad actors. We make conscious balancing decisions to reduce the security of houses by adding doors and windows because we value simple access, a nice view and fresh air.
Houses with valuable goods or people with high risk professions will spend money to improve door locks, windows and may even go so far to install cameras and alarms. How much you spend on security varies according to your need.
IT Security protects business operations at a cost. Its doesn’t add value by improving profits or sales so we want to cost to be low as possible. IT Security is important in the same way that cleaning office toilets is necessary but not important.
Companies Don’t Fail Over IT Security
Surviving failure is normal for businesses. A bad project, product failures, board infighting, or management scandals are everyday events but companies don’t fail. Security isn’t important compared to these issues.
When we look at IT Security events over the last decade, how many companies were forced out of business ? Did they suffer long term loss of value ? Facebook has had a string of data breaches. Equifax, Heartland Payment Systems, British Airways are major companies with huge security failures and zero impact.
Consider the Equifax hack in particular:
A trusted technology company to manage sensitive personal data for credit checking. The organisation should have world class security functions.
A key technology infrastructure for consumer financial transactions
A series of security failures in 2016-2017 across multiple systems in many countries.
Was breached using well known, public vulnerability in their core business application. Equifax knew about this for nine months.
IT security process shown to be laughably poor following audits
Poor response to security incident with false statements, exaggerated claims, and even insider trading
While a few people lost their jobs, some with handsome packages, Equifax has suffered zero financial or business impact. They continue to operate credit services for profit.
If the business impact of IT security failure is so low, then we must focus on reducing the absolute cost. Here are some guidelines:
- It must be cheap because the cost of failure is low.
- It must be easy to manage like cleaning toilets
- IT Security people need to understand they have limited value or importance and be realistic.
- It must not impede the core business function and cause lost profits, lost productivity or lost opportunity. Security comes last because no profit means no need for security.
- Companies must prepare for security failures as they do for any other failure (and maybe that means no preparation at all!).
Simon Crumplin from Secrutiny said when you interviewed him that security needs more people and operations, not products. What is your opinion?
We need more people and less products. Why ? You need people to use the available tools and deliver business value. A threat intelligence feed performing inspection on an application firewall delivers no value unless it has ongoing configuration and analysis by an operator. As the apps change or new threats emerge it is the customers responsibility to observe and respond. Vendors and services are unable to deliver this customisation.
Companies like Secrutiny are showing companies that less products and more people focussed on common security tasks get better results. Simple activities such as patching.
Headcount Reduction Problems
We have seen a boom market for security products over the last five years. Venture capital has pumped hundreds of millions into enterprise security startups now desperate to generate a return. Many are choosing to feed the executive fear cycle following the Snowden era five years ago. Security sales teams are well-trained to sell fear and uncertainty e.g. upgrade to application firewalls for protection with new tools to detect attacks, replace your intrusion detection with cloud-based threat intelligence services.
Of course the question “Are you secure? ” is an infinite selling opportunity that buyers cannot handle. Why ? Here are just two reasons.
Reducing Headcount. Its the current fashion to reduce IT headcount to fund new purchases. IT budgets are not getting bigger so vendors have built products that “replace head count” and you can use the funds to buy more products. Of course, the IT team no longer has the time or skill to operate them to make the company secure.
Lack of competency. As headcount reduces, I see a colony collapse in technology competency. A small team often lacks the diversity and bandwidth to share, support and encourage each other. And the work commonly devolves into firefighting and job hopping instead of fulfilling creative and successful work.
Not only security
Understaffing and poor training is not unique to security, it applies to all areas of Enterprise IT. Companies talk a great deal about ‘digital transformation’ and ‘online first’ while failing to invest in the people that create the change. is business as usual.
IT Security is no more or less critical to the business than any other area. At the same time, these functions need head count to deliver the solution just like cleaning the toilets. Its unavoidable.