Since we started Terbium we’ve promoted the mindset that defense, while still necessary, is no longer sufficient. Security, like the weather, has become as much a risk management problem as a technical problem. It’s not a matter of “implement all the right technical solutions and be completely safe,” but rather a matter of managing your risk, both defensively, pre-incident, and responsively, post-incident.
One of the characteristics of a technical, or IT, problem is that either you have a problem or you don’t. If an employee can access their email, there is no problem. If they cannot, it’s a problem. Problems like this are well suited to a fire alarm mentality. There’s no need for concern if everything is working. As soon as something is not, it is a problem, and it must immediately be fixed. Then it is no longer a problem, and all may return to being unconcerned.
Risk management problems are very different. By their nature, risk management problems are not “solved” or “unsolved.” Whether or not you have a problem with flooding isn’t a question with a binary answer, but rather a probabilistic one. If you’re adequately protected, that doesn’t tell you anything about the next rain storm – it just tells you that, on balance, taking into account all the floods expected, you’re comfortable with your level of risk. The fire alarm mentality is destructive here, because even with the best risk management, there’s no ‘solving’ the risk of flooding. That risk persists, and you can’t ring the fire alarm non stop.
Back in 2013, this was an unusual message. Then, much more so than now, security was seen as a technical problem that needed to be solved. The messaging was almost universally FUD (fear, uncertainty, and doubt), as stock photos of sweaty security engineers were juxtaposed with black ops soldiers rappelling out of helicopters with laptops between their teeth.
Be very concerned – panic, even! – until you implement this technical solution. Then the problem will be solved, and you have nothing to worry about, the messaging said. At Black Hat 2015, the typical booth design featured crisis imagery. At least one booth featured an actor dressed as the Terminator, and the resounding message was that everything was on fire, but that cyber security special forces could put it out.
Fast forward to 2016, though, and it looks like we (as an industry) may have turned a corner. The mindset of an industry goes directly to its marketing, and nowhere is security industry marketing as consolidated as at the Black Hat conference. The contrast between this year and last is striking. Instead of FUD, the majority of messaging this year was geared toward living with the problem. Colors were brighter, booth designs had far more illustrations and far fewer photorealistic images of military figures, and many more companies opted for designs that emphasized ongoing risk, and the need not to panic – either by adopting tongue-in-cheek designs, or by emphasizing the ongoing nature of the threat.
As our weather analogy emphasizes, security is a risk management problem, and security products need to be sold as such. Information security products are inputs to the cost/investment/convenience/security tradeoff, and that’s a tradeoff that’s both inherently mathematical and inherently ongoing.