The Worrisome State of the Information Security Industry

The information security industry is confused, having noticed that the common practices for addressing IT risks or protecting data often don't work. Something is afoot in the security community, and that's a good thing.

This month alone there has been a steady stream of discussions in the blogosphere, expressing concerns such as:

  • Security tools don't cater to our needs. For instance, Michael Cloppert emphasized the need for more flexible intrusion detection and prevention tools that would allow the organization to cater defensive mechanisms according to their needs. He pointed out that "today's detection and prevention tools are built by vendors focused on common threats & vulnerabilities using often-closed signature languages, limiting the ability of analysts to leverage intelligence applicable to their threat landscape."
  • Security vendors misrepresent their products' capabilities. Too often we read and hear unrealistic promises to meet customers' compliance requirements (e. g., PCI) or defeat against the threat du jour (e.g., APT). As an example of how products can be misrepresented, take a look at Anton Chuvakin's list of Top 10 Things Your Log Management Vendor Won’t Tell You.
  • Security professionals preach security to those who already recognize its importance. Too often, we are stuck in our own world, and don't connect with other colleagues or members of the community. Referring to this practice, Ben Tomhave proclaimed, "It's time to get outside the echo chamber and meet the real constituents who are, incidentally, also paying your bills/salaries." Too often, we treat security as a standalone discipline.
  • Security assessments are scoped without reflecting real-world threat scenarios. Vulnerability assessment and penetration projects rarely mimic the actions an actual attacker is likely to take. Val Smith explained that "most companies have a vested interest in having a low quality test: they need to pass for PCI compliance or other business reasons."

Now I'm getting verklempt! Does anything actually work in the infosec industry?

Update: I made a few recommendations for improving the situation by expanding the information security toolbox.

Updated

About the Author

I design practical security solutions and shepherd them to a sustainable state. I used to be hands-on in many areas of cybersecurity and IT. Now I focus on strategy and leadership, treating security as an enabler that helps people and companies achieve their goals. As the CISO of Axonius, I lead the security program to earn customers' trust and fuel the company's growth. Earlier, I built security products and services. I'm also a Faculty Fellow at SANS Institute, where I help professionals develop malware analysis skills.

Learn more