In the blink of an eye, the year is almost over. In looking back at what it meant for the cybersecurity industry, 2015 was predictably busy. We saw big acquisitions, including those of EMC by Dell and Websense by Raytheon. Rapid7 and Sophos both went public. Large funding rounds happened almost weekly, with the sector raising more than $2.3 billion in the first nine months.
Cybersecurity spending increased sharply and should cap out at about $75 billion by year’s end, according to leading analyst estimates. While the U.S. House and Senate continued to debate cybersecurity legislation, government agencies amassed a whopping security budget of $12.5 billion, collectively.
There were unforgettable breaches, like Anthem, BlueCross BlueShield and the U.S. Office of Personnel Management, although the biggest headlines went to the Ashley Madison breach. There also were countless daily reports of breaches due to “sophisticated attacks” and resulting losses from companies whose infrastructure -- despite all the spending -- remained woefully vulnerable. Even President Obama stepped into the fray, cementing an agreement with China in the hope of limiting the scope of nation-state hacking.
Are We Doomed To Repeat The Same Mistakes?
Looking back, it’s painfully clear that while we may not have known the names and faces of the victims, or the numbers behind the M&A, funding, budget and breach news, most of this was predictable in 2014. So will it be any different next year, or are we doomed to repeat the past yet again?
Unfortunately in most respects, 2016 won’t change much: users will still click on malicious links; IT will still be bad at patching; the bad guys will still attack; and the tide of misery from breaches will continue. What matters most is whether your organization will be a victim or not. Of course you could do nothing, and be lucky. But the only way to control your fate is to lead your organization to high ground based on a well-considered, security-first strategy.
As co-founder and CTO of Bromium, a cybersecurity solution focused on endpoint threat isolation, I have spoken with hundreds upon hundreds of CSOs and CIOs who recognize that the cybersecurity industry continues to repeat the same mistakes. Unfortunately, even though these CSOs and CIOs recognize the shortcomings of the security industry, their organizations tend to hold them responsible when something goes wrong -- not the vendor.
There are too many “me too” vendors focused on the staple of detection. In the endpoint security sector, for example, over 40 vendors are bringing to market a feature set that Gartner terms “EDR,” or endpoint detection and response, whose sole goal is to help find a breach in progress -- provided you know what to look for in the first place. Despite vendor claims, detection can’t protect you, and it isn’t advancing much, even when disguised as artificial intelligence (AI). In a world of adaptive, intelligent attackers, even the best AI technologies tend to make lots of mistakes. Ponemon estimates that a typical large enterprise spends up to 395 hours per week processing false alerts -- about $1.27 million per year.
How To Shift Your Focus In 2016
Instead of relying on post-hoc analysis in the hope of spotting a breach, your focus in 2016 should be on adopting solutions that make your infrastructure more secure by design to prevent a breach before it starts. Move to the cloud, adopt micro-segmentation and micro-virtualization and upgrade to the latest operating systems.
Security (still) won’t be solved inside the Beltway. Year after year, public sector companies hang their hats on the hope of cybersecurity legislation that will somehow do the trick. This year was no different. CISA and the Wassenaar Agreement both sparked industry-wide debates around data security, civil liberties, privacy and exploit controls. There is no doubt that security is a serious issue and a hard problem to solve, but it’s not going to be solved by Congress; it's a systematic problem that will require cross-aisle collaboration, which is simply unrealistic in an election year.
Finally, remember that the same vendors that promise to secure you still won’t be held accountable for breaches. PwC predicts that the cyber insurance market will triple in the next five years. While insurance will do little for the peace of mind or job stability for CISOs whose companies experience a breach, it will hopefully force organizations to take a long, hard look at the cost of their continued insecurity.
It’s time for organizations to force vendors to be accountable instead. If a vendor claims to secure your network, force them to accept liability if your organization is breached. Pay your endpoint security vendors based on the value they deliver. Free is a good option when regulations demand the functionality, but the vendors fail to protect you. Force your vendors to put their money behind their marketing messages. Greater accountability means greater drive for cybersecurity technologies that do what they claim to do and actually help to mitigate threats.
I don’t think we’ll see an end to data breaches in the near future, but if organizations start questioning the status quo and demanding answers and accountability from vendors, we’ll start to see many of the breach news headlines disappear.
