Discover more from Venture in Security
The three dreams about the future of security that are not likely to come true anytime soon
Discussing why people aren't likely to start caring about security, why magic tools won't save us, and why the "big industry consolidation" is unlikely anytime soon (at least in the form many imagine)
Your vote counts: Venture in Security nominated as a top cybersecurity blog
Before we dive into this weeks post, I’d like to ask for your help.
Venture in Security blog got nominated for European Cybersecurity Blogger Awards 2023 in two categories:
- The N00bs - Best new podcast/blog
- The All-Rounder - Best Overall Blog/Vlog/Podcast
Your vote counts! If you like what I do and if you found Venture in Security valuable, please support my work by voting.
And, if you’re not yet subscribed, now is the time to do it.
About European Cybersecurity Blogger Awards
The European Cybersecurity Blogger Awards recognises the best bloggers, vloggers, tweeters and podcasters in the industry. Attended by the dedicated and brilliantly talented cybersecurity blogger community, CISOs and a number of other industry VIPs, the annual awards are an unmissable networking opportunity for anyone in the know. The event typically takes place on the evening of the first day of Infosecurity Europe. In the past, attendees included Troy Hunt, the creator of Have I Been Pwned and other well-known bloggers like Graham Cluley, Carole Theriault and Geoff White. You can learn more on the official awards website.
The human need for simplicity and resolution
We as humans crave order and simplicity. This makes intuitive sense: our brain seeks patterns, and we want to organize chaos into models we can understand. Look at the human body: there are layers on top of layers on top of layers - cells, organs, neurons, hormones, and the like; we’ve disassembled the complexity into separate disciplines that we can describe, analyze, teach, and specialize in.
As humans, we are also looking for resolutions: if there is a problem, we want to see it solved; when someone is telling us a story, we want to hear its ending. We know that what has a beginning has an end and that a lot of what we see around ourselves is cyclical: after sunset, there will be a sunrise, and after Winter will come the Spring. We don’t like things that are unfinished, and this need to see the ending is developed at a very young age; remember how often kids start crying if parents don’t finish the bedtime story, stopping it in the middle instead?
In pursuit of simplicity and resolutions, we sometimes go too far, thus oversimplifying the reality and underestimating the amount of time it will take us to reach a finish line (if there can even be one). That’s when the models we build stop being as relevant and useful in guiding our decision-making.
Cybersecurity is a great case study of all this in action. When one attends industry events, they are almost inevitably going to face several “truths” that people in the space repeat over and over again. In this piece, I would like to tackle three of these “truths” by looking at the broader context and trying to define how these are likely to unfold.
How wishful thinking makes us spread lies about cybersecurity
“The big industry consolidation is coming”
Many cybersecurity vendors are competing for customer attention and budgets. IT-Harvest, the largest database of security players, counts over 3300 companies; the actual number is most certainly more as it can take a year or two for new vendors to come under the radar or analysts. Even at that number, it is still a lot. I have previously explained why there are so many security vendors, and why saying “we don’t need 100+ EDR companies” is an oversimplification of what is happening.
I think it is hard to find a person or a company that would not say that we need fewer vendors. Similarly, almost everyone in the industry has been chanting, like a mantra, that “the big industry consolidation is coming”. As much as I would like to repeat that, joining in and amplifying the chant, I think the bigger picture is a bit more complicated.
We know that bad actors are constantly looking for new ways to accomplish their goals. The number of ways to get in, and hence the number of attack vectors grows every day as new technologies emerge and gain adoption, and new types of vulnerabilities are discovered. While the number of vulnerabilities and holes that can be exploited grows, theoretically, as long as defense-focused companies can track all the potential attack vectors and quickly develop countermeasures, they can keep the balance of power. The problem is, that is easier said than done.
No market leader - be it Microsoft, Palo Alto, CrowdStrike or anyone else can confidently predict what new attack vector will emerge 5 years from now. Threat actors are poking holes in hundreds of different directions, but as commercial entities designed to generate profits for their shareholders today, security companies cannot invest all their resources to explore all the possibilities trying to get ahead of everyone else on the market and outsmart the attackers. Leading security vendors need to focus on what’s important today, and for the rest - simply wait and see, knowing that there will be someone else who can make bets.
In parallel, we see thousands of new startups emerge tackling different problems on the market; some more futuristic than others. Many security professionals pursue cutting-edge thinking, approaches, and technologies in niche markets. They know that the chances of failure outweigh the chances of success, but if they do succeed - the payout can be great, and so can the impact on the future of the industry. Microsoft, Palo Alto, and other acquisitive companies can wait, identify the areas of security that matter, and buy one of the top five-ten leaders in that segment. They leave validation to the market knowing that they can always buy a missing piece.
When new areas of security emerge, they require new skills and perspectives that cannot be easily developed by large companies. For example - the mobile revolution brought the widespread use of a new device that cannot be easily secured by people who built antivirus for Windows. This is why cybersecurity innovation is most often acquired, not built in-house. Both large companies and startup founders benefit from the acquisition-focused cycle of security innovation. Thanks to this cycle, companies can preserve their focus, and wait until they have better information thus de-risking their entry into a new market segment. Founders, on the other hand, take the initial risk knowing that if they are right, they can have a great payout. In the end, it’s a win-win.
As humans, we like stories that end well - this is why Cinderella finds her prince, and Harry Potter not only lives but also saves everyone who needs to be saved. It is also why we want to see the problem of vendor overload resolve itself, and that hope pushes us to talk about the imminent consolidation. Unfortunately, the idea that a few years from now cybersecurity vendors will consolidate ignores several important considerations:
It takes a long time for security companies to build trust hence why they cannot blitzscale and capture a large part of the market quickly, allowing rivals and “me too” players to establish their niches.
Large companies find it financially beneficial to wait and see what innovations catch on, and then buy the top players.
Large companies find it hard to incubate innovation internally: the larger the company grows, the less likely it is to find and successfully commercialize new approaches and technologies. Clayton Christensen described this well in his book “The Innovator's Dilemma: The Revolutionary Book That Will Change the Way You Do Business”.
A lot of cybersecurity innovations are built by people who develop experience in emerging areas of technology - something that by its definition does not come from large corporations.
Note that I am not saying that cybersecurity industry consolidation is not happening, or will not happen. Instead, I am saying that consolidation is a continuous state of the industry, not a process that will happen in a few years and lead to fewer cybersecurity companies. The market categories known today are going to be consolidating, but then new threats will emerge, and with that - new point solutions, new market categories, more consolidation, new categories, and on and on and on. Eventually, large companies can indeed build enough expertise to tackle emerging areas, but unless they can figure out how to preserve the culture of innovation, they will need to continuously rely on startup acquisitions to stay on top of their game.
The idea that a few years from now we have 500 vendors is nothing but wishful thinking, unless we can lower the importance of trust, shorten buying cycles, become comfortable trusting companies regardless of where their head office is based, and be Okay with one country’s sensitive data being processed in another country. That, on the other hand, is unlikely to happen anytime soon.
“We need to get tool X and it will secure us”
A lot of what we know today as products and solutions initially originated as approaches and ways of doing things. Think of a so-called XDR (extended detection and response). At a certain point, companies realized that they need to have full visibility into their environment and that their security coverage has to account for everything in that environment, not just the network & the endpoints. This realization has led to the concept of integrated security - they need to do security across endpoints, SaaS, cloud, and other platforms. Not too long after, savvy vendors started building XDR products - some to provide tools for companies to operationalize the XDR-as-an-approach, while others - to take advantage of the hype and to convince the unsuspecting customers that XDR is a magic tool they need to deploy to be “safe”.
This is an oversimplified take, but the important point is that as humans, we are primed to look for shortcuts, for magic pills, for “easy” buttons that can solve our problems. Savvy entrepreneurs are always happy to offer one. This is how companies convince us that being healthy means taking ten different supplements, pre-workouts, and protein shakes, having a six-pack, and pumping biceps. This is also why lifting weights is more popular than functional training, and meal supplements get more traction than a healthy diet. Few people know that a six-pack and biceps offer little utility in real life, and one would be better off strengthening their core and stretching hamstrings.
Another great approach that has been productized so much that it is hard to even imagine that it didn’t start purely as a product is zero trust. Zero trust is a way of designing and implementing IT systems built on the idea that no system or a device can be trusted by default, even if they are connected to an internal network, and even if they have previously undergone verification. Today, when one attends the RSAC or almost any other gathering of vendors, it is too tempting to conclude that zero trust is just one more widget or tool that a company can buy to “get safe”. Indeed, buying a solution is easier than re-architecting the way many systems interact with one another.
Security is hard, and it wouldn’t be fair to put companies on the spot for wanting an easy way. Unfortunately, the shortcuts can only take them so far. This is because fundamentally there are two types of cyber attacks:
Battles of technologies
Battles of people
Battles of technologies happen when attackers are targeting a large number of victims with malware or the like. This is essentially a “spray and pray” approach: bad actors know that if they craft a convincing email and send it to a large number of people, some will likely do what it asks. Similarly, if they can get users to click malicious banners, download bad files, etc. - many will fall for it. Attackers using these methods typically do not know exactly who will become victims, but they have ways to “convert” victims into cash (ransomware is a common one). The reason I call these “battles of technology” is because in many cases, since there are no hands on the keyboard, the nature of these types of attacks is quite generic. Companies that have some defensive tooling in place (think antivirus, XDR, regular backup systems, and so on) can often withstand the attacks or minimize their impact. Now, this doesn’t mean that tools can guarantee safety or security, but those that have something deployed are certainly better off than those who don’t, and even that can be enough to stir attackers to weaker prey. The same cannot be said about the second category of attacks - battles of people.
Sometimes, instead of sending millions of emails to random addresses, attackers are focused on breaking into a specific company. Large corporations, banks, fintech apps, e-commerce and social media platforms, and other types of businesses that hold power, have a lot of money or customer data (think the majority of the companies today) are being targeted the most, but any person or an organization can become a target.
In battles of people, those equipped with tools alone will lose most of the time, no matter what logos, taglines, and brand names are printed on those tools. This isn’t because the tools they bought are not the “latest, next-gen, AI-powered solutions”; it’s because tools are just that - tools.
Attackers are people: creative, well-trained, well-motivated, and well-equipped with tooling they can use to achieve their goals. Although some - typically called script kiddies - are immature and not as technically proficient, many have incredibly deep knowledge of the code, how products are built, and how to subvert them into doing something they were not designed to do. To withstand targeted attacks, people on the defense side need to be a match to those on the attack side. This means they need to have a solid understanding of the code, know what attacks look like, be able to track the attacker, make their life more complicated, and prevent them from accomplishing their goals.
Tools don’t provide security. In every industry, a skilled professional will win against those with no experience and no foundational knowledge but new and shiny tools; it is true for fishing, cooking, driving, software development, design, security, and most other areas of life. Any time we get overly excited about the new technology that is going to “revolutionize” cyber defense, it’s worth keeping in mind that not only does the offense have access to the same advances in technology, but it can often be much better at collaborating, sharing, and iterating together. Moreover, attackers have experience with most commercial security tools, know where gaps lie, and how to get around them.
To secure the organization, one needs to take advantage of useful frameworks and approaches such as extended detection and response, zero trust architecture design, and defense in depth. This does not, however, mean buying a solution for every abbreviation Gartner or Forrester has announced to get “fully covered”.
There are many reasons why that is the case. First, all attack vectors are related and interconnected: cloud, endpoints, email, supply chain, and so on. While security vendors focus on separate segments, a lot happens on the edges between these segments. Second, whatever logic commercial security providers build to detect bad actors, has to be generic to apply to most of their customers, which means that it will either fail to account for the company’s unique environment, or generate tons of false positives (most often, both). Third, the more tools an organization implements, the more time it needs to manage these tools, and the less time it has left to do the actual security. This list can go on and on.
Shortcuts are tempting and buying products sounds like a good idea, but it is not. Security is not built by monitoring alerts generated by black-box vendors that offer to “stop breaches, APTs, and zero days”. It is built by moving from promise-based to evidence-based security, embracing a culture of defense in depth, investing in building high-performance teams of mature practitioners, and tailoring security coverage for the specific organization’s environment. Anyone who suggests that the answer to the question “how to secure my organization?” starts with “you need to buy…” is lying or does not understand how security works. Many vendors and security consultants are, unfortunately, guilty of both.
“One day people will start caring about security”
Only the lazy haven't talked about the fact that “people are the weakest link” and that no company can hope to be secure if the employees do not practice good security habits. It is obvious that there is a problem, and we have no choice but to do something about it. What is less obvious is what to do.
Can we make caring about data a part of everyone’s job responsibility? We most certainly can, and I am confident we should. Can we invest in educating people about security? Absolutely; Israel has been doing it for years, and I am convinced that teaching personal data care should be one of the goals of the school system, along with the basics of health and personal finance. We are already starting to see this happen: a few days ago, North Dakota became the first state in the US to require public schools to teach cybersecurity and computer science. Can we nudge people to make the right decisions? We certainly can.
There is a lot we could and should try to do, as long as we keep in mind one important fact about humans: people hate friction. Whatever we do, we look for ways to cut corners and eliminate pain. Businesses know that hence why product teams have been focused on shortening signup flows, marketing professionals - on eliminating unnecessary questions at webinar registrations, and sales are making going through the buying process nearly effortless. What is ironic is that security companies do all that as well, and it is hard to find a practitioner who enjoys having to attend multiple demos before they can try a security product.
The fact that people don’t like friction isn’t surprising. What is surprising is that most security companies do not realize that they themselves are introducing friction to human lives. Some do but argue that it is justified, as people “have to start caring about their security”. This statement, however well-intentioned, ignores human nature. For security practitioners, it’s shocking to even imagine that somebody would write a password on a sticky note, yet they themselves will overspend by using contactless payment options over using a card or cash, and take a shorter path when driving, even if it is not the safest one. We are all humans, and we all fall victim to the same psychological biases, and “just get it done!” attitudes in our lives.
What is also true is that education doesn’t change behavior. Without going too deep into research into decision science, I will say this: few people are not aware of the dangers of excessive sugar consumption, smoking, alcohol, and drug use. Yet, despite the widespread education, many of these behaviors are incredibly common. A case in point is smoking: I think it’s hard to find a smoker who doesn’t believe that smoking is bad, and that doesn’t typically cause them to quit the habit.
If people don’t like friction and education doesn’t lead to behavioral changes, it’s unlikely that “one day people will start caring about security”. To build a more secure world, we have to work with these factors in mind.
People want seamless experience, and that means that for secure behavior to become a norm, it needs to be frictionless. Ideally, secure behavior should have less friction than insecure, but that’s the cherry on top. For security to not add friction, it needs to be embedded in everyday technology in a way that makes it invisible to an average consumer. The reason many people choose biometrics over passcodes is not security but ease of use: one click, and they’re in. The only way to make this happen is to make it the responsibility of software and hardware providers to build security into their offerings, and that brings us to the second point - the regulation.
We know that the vast majority of people are not financial gurus, and do not understand the complexity of financial instruments. We could leave the market unregulated, and encourage people to get “educated about their personal finance”, but that would not have been enough to protect them from financial scams, pyramids, and financial vehicles not appropriate for their risk appetite. Without giving up on education, we were able to design and continuously strengthen consumer protection laws that place the responsibility on providers of financial instruments, not consumers. In the areas of life where the government chose to put it on consumers instead of providers, the outcome hasn’t been as positive. A case in point is recycling: instead of forcing everyone to recycle plastic bags, it might be easier to ban or regulate their production and encourage the use of more sustainable materials. However, in many parts of the world, we have chosen the path of mass-producing plastic bags and naively hoping that running a TV ad showing a dying whale will be enough to get people to reuse them.
I will be the first to say that we can’t let the government place restrictions on all areas of our lives. There has to be a line between regulation and the free market, and where to draw that line will depend on the price that has to be paid when someone fails to do the right thing. In cybersecurity, the price can be incredibly high.
The recently released US National Cybersecurity Strategy is a step in the right direction. It states that the US “must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us”. Under the new Strategy, software creators rather than the end users should be the ones responsible for security. This is, in my opinion, the approach that is needed, as it both creates the right incentives, and makes it possible for those building security to make it as seamless as it can be for the end user. The strategy, of course, is just an aspirational document unless backed up by the right systems, processes, and the government’s resolve to execute it.
Cybersecurity is hard, and it is tempting for people to hope that tomorrow it will get easier - that the number of vendors will go down, that new tools are going to solve tough problems, and that people will start caring about security much more than they do today. I think that to a certain degree, we will see all of that: larger vendors acquiring smaller players, new types of solutions arming security practitioners with tools they need to do their jobs, and many more people realizing that they need to care about their data. Having said that, each of these predictions is based more on wishful thinking than the realities of the industry, and therefore will unlikely have the impact some in the field are hoping for.
It pains me to say it, but with the ever-increasing digitization of our society, growing interconnectedness, and the speed of technological innovation in general, security is only going to get harder. Companies need to stop looking for shortcuts, buying magic tools, and hoping for the best and instead start investing in the right people, systems, and processes to mature their security operations, and move from promise-based to evidence-based security. As they do it, it’s worth keeping in mind the famous quote by Dr. Deming: “It is not necessary to change. Survival is not mandatory.”