This post originally appeared on the Packet Pushers’ Ignition site on July 9, 2019.
Premise: I would be cautious about a vendor who sells security as a product or a critical/primary feature. Security-as-a-product is coming to an end. We need to return to making the things we already have work efficiently.
There is only so much FUD salespeople can spread before we become immune to their fearmongering.
Most people will want to slow down and absorb the changes, but the probable best strategy is to embrace more change.
Let Me Explain
Lots of vendors have been following the trend into security that kicked off when Snowden revealed just how easy it was to compromise technology. Hackers quickly realized there was easy money to be made and began thinking differently about their attacks.
IT security got serious. Major data breaches (such as Equifax in 2017) highlighted just how inadequate security preparation has been.
So, lots of money has been diverted from strategic projects into security. Now, that budget shift is beginning to hurt as everyday IT assets are neglected, becoming increasingly costly to own due to that neglect.
Technical debt is building and problems are creeping into the everyday. Extra security is fine, but there are operational burdens. Vendors have rushed new products to market that aren’t production-ready. Plus, engineers have limited time to master these new toys that don’t work.
Let’s Scrutinize The Problem Further
When selling security, the sales process always devolves into Fear, Uncertainty and Doubt (FUD). Buy more firewalls to make you more secure! Buy better firewalls for better visibility! Buy visibility, SIEM, malware scanning, logging and on and on.
Fine. Tools are necessary, but you need people to bring the power of the tools to bear. Those people can only integrate a limited amount of change in any given time interval.
I also believe that the greatest improvements in security come from improving operations and not adding products.
Allowing staff to focus on value extraction from existing tools is usually more effective than throwing money at shiny new objects.
Fatigue Reduces Productivity
Every security tool creates operational inefficiencies. Security tools create extra work to run and maintain while generating ever more burdensome process to create value from them. Even adding a security visibility tool with ML/AI still requires training with appropriate data sets and smart humans to interpret the output.
Operational fatigue sets in as humans struggle with the new toys. Vendors continue to promote product values based on reductions in head count. When head counts are reduced, the security tool doesn’t deliver any value–it only causes problems. Questions get asked about why productivity is low.
Now, it seems to me that we are reaching the point where operating on-prem security is just too painful. We need to either…
- Slow down to integrate the changes in security tooling and approach. Or…
- Go a lot faster.
Right. Let’s face it…it’s going to be a slow transition.
