On Friday Forbes had an article posted by David Lowenstein and Risu Na about how there is a "Growing Crisis of Confidence in Computer Security". Now, I agree with the core point that we have a significant crisis in industry, however, I take strong issue with some of the points they say are the problem.
Lack of Awareness - I agree we have this problem. However, it's not one of the tools in which we use but the awareness of individuals in the organization in which we operate. We need to do more to educate and build awareness of the problem to each and every employee so they become "Security Aware".
Lack of Resources - Yes, we don't have enough money or people. The thing we need to realize is that we never will if we are tackling the problem as the sole responsibility of the security organization. Until we build security into the corporate culture and into every project as something "we just do because it's who we are" we will always be in the capex / opex hole.
Lack of Adoption - I'm at a loss here. Where have we ever seen a metric that shows money spent an indicator of adoption or level of security. The fact of the matter is that there are a lot of free tools out there. Beyond that, people are the problem not technology and talking is fairly cheap.
Too Many Products - Yes, most organizations have too many incompatible or duplicative products. I'm not sure how this has any bearing on the topic at hand. This is a commonly used discussion point to get a customer to move to a single vendor. In a lot of a cases it makes a lot of sense, yet, it's not why security fails.
The reason security fails is that we have been dealing with security as a technical problem and technical problem only. Very few organizations have a 50% or more dedication to changing employee behaviors in a balance to implementing technical preventative or reactive controls. In addition to that we (practitioners) have so few people who actually do security, understand what the real problems are let alone those who try to advance the industry. Take a look at our industry. The vast majority of practitioners are struggling to implement basic controls let alone assist in creating or advancing the theories or methodologies in which we operate. With the onslaught of the new threats over the past 6 years it's becoming a more significant challenge. What we do have is a great amount of researchers and vendors telling us what to do. In a years review of articles discussing issues and recommendations of how to address them less than 1% was from an actual practitioner. It's not ironic that about 1% talked about changing culture and methodologies. Yet, well over 90% of the articles show how their products can solve the problem. In most cases it's even the wrong problem or the claims on resolution are completely false.
I'm not saying that security vendors have ill intent. It's my assertion that they just don't understand what the real challenges are. When they do, they try and fit them into the products in which they sell. Yes, we could use better products but that's not why security fails. What fails is our inability to manage with a mature methodology, communicate in business terms (ala Risk) and change behavior of employees to incorporate security into their DNA.
We've seen so many products on locking down workstations, better AV, etc. I can't remember a product that assists in the true Risk Management for the enterprise. Not one that I've seen collects logs, threat intel, asset information, revenue generation data, DLP, etc. (see Risk Management Post). Vendors are important, no doubt, but what we need is practitioners starting to stand up and talking about security ourselves. Perhaps strong enough that main stream organizations such as Forbes will publish our thoughts on par with vendors.