How cybersecurity vendors make us less secure
Five ways in which cybersecurity companies undermine our security and where we can go from here
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Introduction
“Show me the incentives and I will show you the outcome” — surmised Charlie Munger (the closest partner and right-hand man of Warren Buffett) about how incentives drive nearly everything. While it is true for many areas of life, cybersecurity has become a textbook example of how perverse incentives make companies do what directly conflicts with their stated mission.
In this article, I will summarize five ways in which security vendors make us less secure. But first, let’s look at what security vendors claim they do.
A simple mission: to make the world secure
I’ve looked at the mission & vision statements of 25 private cybersecurity companies; the main theme seems to be building a secure world for everyone, becoming trusted leaders in their respective space, leading the evolution of security operations, and shaping the future of the industry.
These great aspirations are shared by large companies, those who “made it”, and are under public scrutiny to fulfill their mission statements. If I were to summarize their aspirations in a similar fashion, without putting any specific company on the spot, I have to call out the desire to stop breaches and build a sustainable, equitable, and more secure future for all, — once again, great goals to have.
The road to hell is paved with good intentions
It is fair to say that how cybersecurity vendors are working to fulfill their vision varies dramatically. Below are five ways in which I see companies fall short of their stated intentions and aspirations.
Increasing attack surface
A lot has been said about the tool proliferation in cybersecurity. An average security team is using over 70 security tools; while that number can be lower for smaller teams, it will definitely be substantially higher for large enterprises.
There are multiple reasons why this is the problem, but one of the most important ones is that more tools does not mean better security. Not only is there a lot of overlap between what different vendors are offering, which can lead to having the same data duplicated across multiple systems, but adding more tools to the organization’s environment creates more failure points and weakens security.
Hence lies the dilemma: while almost every vendor would like to “improve security”, they are incentivized to have their product be tool number 71, therefore increasing the company’s attack surface.
Perpetuating inefficient security workflows & vendor lock-in
For organizations to optimize their workflows and future-proof security operations, they need to have the ability to decide what products to integrate and in what ways. Unfortunately, this may be easier said than done.
Some cybersecurity vendors design their products as closed ecosystems of vendor-approved tools. If a solution you are looking to integrate is not a part of this list — you are out of luck. While sometimes this comes as a result of a deliberate plan to institute vendor lock-in, quite often it’s simply a side effect of vendors not building their products API-first. If you can only accomplish a task by logging in to a tool and clicking a button in web UI, this naturally makes it hard (and sometimes impossible) to integrate with other products at scale.
The last item that is worth calling out is data ownership. Anytime a vendor makes it hard to get any of the customer’s data from a tool X to any external destination, it signals a desire to make switching tools as complex as possible. This most definitely goes against many companies’ promises to see security as “an opportunity and not an obstacle”.
Charging the SSO (single sign-on) tax
As a product leader, I often see how poor customer discovery practices lead to less security for everyone. A good example is the SSO tax with so many vendors treating single sign-on as a luxury feature, not a core security requirement. It is especially ironic to see how SSO tax plays out in the cybersecurity space, often implemented by companies who claim to pursue “security for everyone”.
Stifling innovation & barriers to entry for entrepreneurs
I am convinced that there are three components needed for innovation in any industry: people, funding, and infrastructure (tools).
The “contact us for pricing” model and mandatory minimums prevent innovation in the industry by making it impossible for aspiring entrepreneurs to access the tooling they need to start their business. Even if they were lucky enough to use a tool X before when they were employed by a large enterprise, as soon as they go solo — they are generally out of luck. Early-stage founders of security service providers rarely have enough resources or certainty to negotiate contracts and commit to minimum spend or a minimum number of endpoints. Many cannot qualify to even access the product and see if it would solve their problem.
Perpetuating barriers to entry into the industry for professionals
Limiting access to tools security professionals need to do their job perpetuates barriers to entry into the industry. The “contact us to see if you qualify to use our product and learn about pricing” sales model acts as a solid barrier to solving the talent shortage. Worse yet, it also ensures that people from underrepresented groups will not be able to easily catch up with their more fortunate peers who are already employed by enterprises with access to the latest tooling.
Without hands-on exposure to technologies, like asset management, identity management, security automation, and orchestration, which have become ubiquitous across the industry, people cannot learn how to use the tools required to succeed in the industry. This creates the Catch-22 problem for those trying to get their first “real” job in cybersecurity.
The real-life impact of gated products on the careers of aspiring security professionals is so bad, that the claims of security vendors to “build a sustainable, equitable, and more secure future for all” do not stand any scrutiny.
We need diversity in security, not just because it is the right thing to do (which it most certainly is), but also because it’s hard to think holistically and creatively when everyone in the room comes from the same background. We need new perspectives, we need new opinions, and we need people who would shape the future of security.
Closing: staying optimistic about the future
From a very young age, we are taught to judge people by their actions, not by their words. The same applies to businesses — while many security vendors aspire to things like building an equitable and secure future for all, their actions often lead to the opposite — a promise of safety for a limited few.
This realization is truly unfortunate given that security professionals have been known for their openness, community spirit, and desire to help each other. Many of the best security communities, blogs, podcasts, open-source projects, and threat feeds are run by passionate volunteers driven to give back, make the world more secure and help others to do the same.
There are many ways the future of security can look like; I am very hopeful it will look as follows.
Despite the growing complexity of security, the number of security tools used by organizations will stop increasing exponentially and will instead be reduced. There won’t be a need to have multiple agents on the endpoint and manage relationships with hundreds of vendors at once.
Security products will be built API-first and delivered in a manner that makes it easy to integrate them with other components of the security stack. Technical documentation will be easily accessible to anyone, not just paying customers. Most importantly, vendors will not be employing lock-in schemes keeping the data hostage or preventing integrations with products outside of some “approved” ecosystem.
Security professionals will not be required to meet mandatory minimums and sign long-term contracts. If someone is interested in setting up a new tool in their home lab for their personal use or would like to start a small MSSP (managed security service provider) — they should have the ability to do so. Furthermore, those looking to build careers in cybersecurity will be able to learn the tools required to succeed in the industry regardless of where they work or if they work at all. Knowledge and security tooling will be easily accessible to anyone willing to learn.
Security professionals will be able to access the products they need, when they need them, and for however long they need them, without having to talk to a salesperson or attend a mandatory demo. Furthermore, they should have the ability to pay as they go, and only pay for what they use, no matter what product or vendor they are working with.
We are seeing many changes happening in the industry today, and I am optimistic about the future outlook. Having said that, hoping that new startups coming into the space will be able to reshape it is not enough.
We need to keep security vendors accountable for their actions instead of taking their promises for granted. This applies to the way security is done, but even more so — to the societal outcomes of their work. Security vendors cannot be allowed to talk about “fostering diversity” and “solving the talent shortage” when products they build are inaccessible to aspiring professionals and those underprivileged and underrepresented. They cannot claim “security for all” when only companies with deep pockets can be allowed to see their products at work.
We have seen that everything is interconnected, and the smallest player in the ecosystem, if not secured, can bring down a large number of organizations. Security, therefore, needs to be accessible to everyone — and that can only be achieved by making the industry open, transparent, and accessible.