The cyber security industry is squandering the opportunity to make computing safer in an era of an increasing number of data breaches, a senior Trend Micro executive has told a Canadian security conference
“We are a rocket ship full of potential,’ Mark Nunnikhoven, the Japanese company’s Ottawa-based vice-president of cloud research, told the annual SecTor conference on Wednesday. “We are more important than ever. Unfortunately – and I include myself — we are taking this rocket ship and driving it straight into the ground.”
About $118 billion will be spent this year on cyber security products and services, he said. But one vendor estimates criminals are pulling in $1.5 trillion a year. Meanwhile, the cost of cleaning up the damage from online attacks will be $4.5 trillion.
Obviously, he said, the industry isn’t slowing criminals down.
“We are not being successful in our profession. We may have small wins but globally we are not winning. We are losing.”
The blame gets spread around, he said. CISOs have to report to CIOs, who have a lot on their plates. And what they want to spend on usually improves attack and vulnerability detection, rather than solve a security problem.
Hire more security staff? But experts say there’s a shortage of skilled talent. He also has doubts there’d be a difference in slowing attacks even if CISOs could add more staff.
Even corporate marketing departments came in for a spanking for sending emails with URL links that are so long users who know to look for something suspicious can’t figure out if they are legitimate. “Marketing is the number one culprit for absolutely atrocious, horrible URLs sent around the world,” Nunnikhoven complained. It’s one reason why phishing awareness campaigns fail, he said.
Infosec pros weren’t spared. “We’ve done an absolutely crap job on passwords,” he said, by insisting users create complex passwords rather than allow them to have easier to remember pass phrases.
In addition, company policies, or products from vendors. won’t allow users to cut and paste in those hard to remember passwords IT insist on.
Meanwhile, he said infosec pros complain their biggest problem is users, which leads to an ‘us’versus them’ attitude. But, Nunnikhoven said, all of an organization’s revenue comes from users. Blaming them is wrong.
Finally, he complained infosec pros aren’t working at Internet speed, which demands fast production cycles and DevOps for secure software development and release.
There is some hope, he said, because infosec pros are now asked to speak to the board and senior manager. But that means “we need to adjust our thinking, to adapt to the business environment … we need to ask are we getting value from our security investment.”
“But to actually tackle the problem we’re going to need to automate more of the work than we do.” The vast majority of analyst or threat hunting work done in the SOC should be automated, he said, where “you’re looking at an endless stream of alerts. Maybe one in 10 is valuable, maybe one in 50.”
Second, accept that users aren’t a problem. Educate them, rather than run awareness campaigns, to make good contextual decisions.
Third, infosec pros need to work with other teams in the organization. “If we push our security thinking earlier in the development and product selection cycle we’re going to get security by design. Not only is it better, it’s cheaper” than letting poor software or code go live.
“I think the goal of everything we do should be to make sure that the systems in our organization work as intended, and only as intended.” Infosec pros can’t work alone any more. “You need to get out, to collaborate and work with the rest of the organization. It makes our lives easier. We can do more effective things” with our time.
“And for selfish reasons alone it’s worth it.”