Time to change the (cyber) record?

It's that time of year again. Next week the usual suspects in the IT security world will spend three days eyeing up each other's wares at the annual Infosecurity Europe show.

cyber record image

Despite being at new venue for 2015, will anything else have changed?  Unlikely. This year the show celebrates 20 years of vendors promising that their software/hardware/appliance/service/cloud is the solution to all known security problems.  

And yet, as we all know, they haven't worked.  Whether it's killer-North-Korean-hackers, the Russians hacking the US IRS or the massive loss of customer data by MSpy, every day sees a new cyber drama revealed to the world.  As an industry we're crying wolf so often, it seems executives are starting to become numb to the relentless budget requests for better/bigger/faster solutions. Despite massive increases in spending on firewalls, IDS, IPS, threat intelligence, endpoint monitoring and SIEM solutions, breaches keep on happening.

Hack-fatigue is setting in.

Last year, NTT Com Security surveyed 800 non-IT business decision makers for their Risk:Value report. Whilst 63% of respondents said they expected to suffer a security breach, only 9% saw poor data security as the biggest threat to their business.  It didn't even make the top 5 answers - competitors were what really kept them awake at night.

IT security budgets will not increase at the same rate as our reliance on technology. Boards and investors will become increasingly exasperated at the lack of tangible results, and will expect to see a positive return on their investments in security. 

It's time to do more with less.  Spending the limited security budget wisely and efficiently. Thinking like the bad guys, being brave, sticking your corporate neck out, testing yourself mercilessly, and expecting more scrutiny on every penny you spend.  Buying a solution just because it's in the top-right quadrant of a chart doesn't mean it'll work for you, in your organisation, in your circumstances. 

We need a new approach.  Before hack-fatigue turns into hack-indifference.