“It’s not the technology, it’s the people. We don’t have necessarily the number of people or the people with the education we actually need to make a lot of the tools work,” argued Martin McKeay (@mckeay), Security Advocate for Akamai Technologies.
Technology is easier to use, it’s become consumer driven, and the complexity of the security problems are often hidden, said Brian Honan (@BrianHonan), Principal for BH Consulting. Technology is moving so fast without any regard for security. Honan notes that mobile phones today are in the same place security-wise as PCs were in the 80s and 90s.
In a conversation at the 2014 RSA Conference in San Francisco, McKeay and Honan ping-ponged back and forth as to what the real problem is in security.
Combined with fast moving technology is the situation of technology debt. Our inability to not keep up with changes causes more technology debt. We try to use other technology to pay back that debt, but that’s not the fix because it’s really a lack of understanding the debt, said McKeay.
“Our environments are so much more complex to defend. It’s not just desktops, networks, servers, and mainframes anymore,” said Honan, who recognizes the environment to secure now also includes devices outside of the corporation’s control such as mobile phones, USB keys, and tablets.
“The target size has increased as has the vulnerabilities. We’re rolling out technology so quickly that we don’t know how to secure it,” said Honan.
McKeay comes around and argues that the real security problem is the NSA: “Our governments are as much of a threat to our corporations and to our personal privacy as the cybercriminals ever were. It’s now a known a fact that these are issues we have to deal with and we can no longer trust our government. They thought they had a partner and now they found out their partner has been sleeping around.”
Every year I come to RSA I get the sense from those in attendance that we’re losing a war against the cybercriminals. And while McKeay is pessimistic about the state of security, he does believe we’re winning.
“We’re winning it if you look at winning it as staying in business,” said McKeay.
- Why Security Pros Should Embrace DevOps
- Attacking the ROI of Advanced Persistent Threats
- 4 Clues to Get Executive Support for Information Security
- Board Dynamics: Do BoDs Understand the Impact of Cyber Attacks?
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock