Do you ever get the feeling your security providers are failing to tell you the whole truth? We entrust the industry to protect us from unacceptable risk. But we must confront the underlying truth: The goal of the security market is to make money.
Here are the seven dirty secrets of the security industry and practical ways to command honesty from your trusted security providers.
1. Antivirus certification omissions. The dirtiest secret in the industry is that, while antivirus tools detect replicating malicious code like worms, they do not identify malcode such as nonreplicating Trojans. So, even though Trojans have been around since the beginning of malicious code, there is no accountability in antivirus certification tests. Today Trojans and other forms on nonreplicating malcode constitute 80 percent or more of the threats businesses are likely to face. Antivirus accountability metrics are simply no longer reflective of the true state of threat.
2. There is no perimeter. If you still believe in the perimeter, you may as well believe in Santa Claus. That isn't to say there is no perimeter. But we need to define what the perimeter is. The endpoint is the perimeter, the user is the perimeter. It's more likely that the business process is the perimeter, or the information itself is the perimeter too. If you design your security controls with no base assumption of a perimeter, when you have one you are more secure. The mistake we tend to make is, if we put the controls at the perimeter, then we will be fine. For many threats, we couldn't be more wrong.
3. Risk management threatens vendors. Risk management really helps an organization understand its business and its highest level of risk. However, your priorities don't always map to what the vendors are selling. Vendors focus on individual issues so you will continue to buy their individual products. If you don't have a clear picture of your risk priorities, vendors are more than happy to set them for you. Trusted security partners will provide options for assessing your risk posture and help you develop plans to make the most security impact for the least cost and complexity. Security needs to conform to and support your business priorities. Too often, vendors want your business to conform to their portfolio.
4. There is more to risk than weak software. The lion's share of the security market is focused on software vulnerabilities. But software represents only one of the three ways to be compromised, the other two being weak configurations and people. The latter is the largest uncovered area of risk. This is malicious code that doesn't leverage a vulnerability but rather leverages the person. For example, downloading a dancing skeleton for 'a spooky good time' (this was a trick employed by Storm), social engineering, spear phishing, etc. While we still need to find vulnerabilities and patch them, we must understand that an organization is only as strong as its weakest link. And more attention needs to be paid in mitigating the other two ways beyond software.