At this week’s ISACA European conference in Rome, leading security risk and compliance consultant Richard Hollis (pictured) gave a devastating critique of the cyber security vendor market.
IT Europa was invited along to the conference by ISACA, which is the leading global membership organisation for those working in IT governance and compliance, with 162,000 members.
We spoke to some of the leaders in the organisation about various issues that affect the IT industry and its channels, but, first, let’s start with Hollis’ talk to a packed conference room of delegates. They were told security vendors and service providers were pretty much useless in tackling threats.
In a presentation entitled ‘The circle of failure: Why the cyber security industry doesn’t work’, Hollis started: “We’re not doing well, as an industry we’re failing – it’s 30 years down the road since the first worm was discovered.
“At the recent World Economic Forum, three of the top ten greatest threats discussed were attributed to our industry, after 30 years of us trying!”
He continued: “As an American, you know things are bad when the government steps in, because that’s when an industry is failing. It did it with the car industry, for instance, as it wasn’t putting $2 seatbelts in cars or fitting shatter-proof glass, along with other safety measures.
“And [referring to legislative moves being made by the Biden administration] the government is now making moves on ours. Just look at the breach numbers...we’re losing 18m records a day. We know that from the mandatory reporting, but what’s actually reported is only a small part of what is lost.
“We’re spending more and more on cyber security and we’re losing more and more data, it doesn’t make sense to me. We’re caught in a cycle of failure.”
He then went on to list the different areas of the cyber security industry that were failing.
The product vendors
“The product vendors: Fail. Our cyber security products don’t work. They are reactive when they should be proactive, but they never have been. They’ve never been as clever as the attackers who set the game. The vendors are giving us knives to take part in a gun fight.
“There is too much hype and FUD – fear, uncertainty and doubt – it clouds our judgement, which it is designed to do, instead of doing things that prioritise our business.
“Vendors profit from the insecurity of computing, their sales go up after every major breach. The products don’t work, but they make more money. They treat the symptoms but not the problem. Preventing breaches, that’s when they should make money.”
On accountability, Hollis said: “In any other business, if it doesn’t work, you send it back, just like you would with a flat screen TV that doesn’t work.
“All the product vendor leaders of our industry have been hacked themselves – they are not shepherds, they are just sheep, like the rest of us.
“‘Zero day’, what is that? The ransomware problem is a vendor problem – 95% of ransomware is associated with vendor vulnerabilities – why aren’t they part of the discussion around ransomware.”
Managed service providers
Hollis slammed what he saw as failings in the MSP sector. “They are selling us a process not a product. Do you know the SLAs in your agreement? The bulk of the work is on you, even though they are brought in to manage the system.
“The liability clauses, they don’t work for you. And if something goes wrong, they maybe give you 12 months free, great.”
On alerts distributed by providers, Hollis said: “‘False positives’, that’s an oxymoron. If four out of ten alerts are false, maybe the service is not ready for market, if it is on the mark only 60% of the time?
“Alert fatigue is an issue, we may ignore true alerts when there are so many false ones. We want to know about real fires, not reports about a little smoke.
“But who’s responsible anyway for the malware? All the major MSPs have been hacked, they can’t even secure their own systems.”
The ISPs
Hollis also criticised the providers of internet services. “Why aren’t they part of the discussion too. They provide a major need for most...air, water and internet.
“But they see the malware travelling to your business and do nothing. They see the source and the target. They’re like a big night club, they’re the door men but they don’t keep the bad guys out, and those guys are hurting everyone else in the club.
“Why don’t we complain to our ISPs? They sell bandwidth but don’t make any money out of security, but they could, if we asked for it. All major ISPs have been breached in the last 18 months.”
Businesses
He pointed out that businesses using security services had also failed. He said that firms were supposed to have a strategy to use their security spending to protect people, processes and their technology, but were spending most of it to actually protect their technology.
“How about controls for people and processes? We are just a hamster in a wheel. We don’t have a strategy, every time the product doesn’t work we just buy more of it.
“How about the duty of care to protect people, they are not just 1s and 0s?”
You have failed
“You, we have failed, think of the change we could affect if we demanded more, just like we do in other spheres of our lives,” said Hollis.
“We focus on ‘cyber’ rather than product. We need to focus on people and process. Who benefits from the status quo? It’s the security market, and, in some cases, nation states.”
Hollis received raucous applauds at the end of his presentation. Will this help lead to a more demanding and difficult sales process for the suppliers, who knows?
Hollis’ tips to make things better
-Before we buy the product, do we have the resources to manage it?
-Read the SLAs
-Don’t just protect the technology, protect people
-Product efficiency must be checked
-Ask for your money back if things don’t work – suppliers have to be accountable and legally liable “if they cause harm”.
More on the ISACA conference to follow...
