You just have to have a lot of respect for people who aren't afraid to write what they're thinking ... Ben Kepes does exactly that in his post on Tech Crunch titled - "On Lack Of IT Readiness – And Innovators Dilemma. VMware Delivers A Sad Reality".
What I hear Ben saying is that the IT in the enterprise like buzz words, and has no desire to depart from the way they've done their thing for the last several years.
You probably won't be surprised to hear that this also applies to the world of Information Security. Don't believe me? Analysts tell us that 75% of IT Security budgets go to network security technologies... those same technologies we've been paying homage to for the last decade plus. You know, firewalls, IDS/IPS, and that massive spend on "anti-virus" technologies that we all pretty much agree aren't going to stop anything except the Sasser worm.
Ben's treatise is centered around IT being afraid to move out of their comfort zone. This applies to all of IT, including security, and makes a good showing in our behaviors. While the threats have clearly moved on several steps past where defenses are today, we keep piling budgetary dollars into the old stand-by technologies... because we're confused by what we really need.
But as I write this I can't help but ask myself ... what does this actually mean for IT Security? Have we gotten to a point where all the 'old tools' we had available to us have been utilized efficiently, deployed pragmatically, and maximized? You don't need to be a penetration testing expert to answer "no" pretty readily.
Maybe sticking to the basics wouldn't be such a bad thing in IT Security... that is, if we had a clue on how to do the basics right. I know plenty of people who penetration test all day every day and they'll be the first to tell you how easy it is to break in because defenses are so weak, if they exist at all! Most IT Security organizations are busy checking some boxes on an audit list, and effectively missing the forest for the trees when it comes to actual security.
Alright, back to Ben's point.
I don't think you can blame the vendors in the IT Security space. There are plenty of very interesting and innovative solutions out there. We do our fair share of interesting things here... as do many other vendors, but look how long it's taken for organizations to take software security seriously!
When I was a solutions engineer for 3+ years with our Application Security group, I had the hardest time convincing organizations they needed to spend their budget on software security technology, tools and training. Many of these IT organizations were still busy spending a lion's share of their budgets on network tech and couldn't understand why I was asking them to spend on their applications' security when they "already had a firewall".
Maybe it's just IT's curse to deliver slowly to the business. Maybe it just takes us longer to adopt those technologies we claim to lead with, because we're struggling to understand the business we serve. I suspect a lot of it has to do with this. Delivering "cool" new technology solutions to business problems is a tricky thing - and one that's quite difficult to make happen without failing. And you know we're all afraid to fail.
Can you blame the vendors? Working for a vendor and watching the vendor landscape carefully I can honestly say - yes. The amount of customer, market confusion and distrust that comes from over-promising and under-delivering is reaching epic proportions.
It's a self-feeding downward spiral really. Vendors over-promise, under deliver and customers learn to distrust... which makes vendors try harder to impress and wow the customer which pushes further into over-committing and we go further down the spiral.
Blame buzzword and wide-eyed customer buyers looking for the next big shiny box to solve their APT problems, only to completely ignore the implementation? Blame analysts who tell you which new technology you should be buying lest you fall behind? Blame vendors who over-commit, under deliver? All of the above?
So what we're left with is talking about the next big techno-gadgetry, implementing some of that in a mostly "for show" fashion as Ben suggests, and leaving the rest to the old stand-by. Then the inevitably bad things happen...
For fear of sounding like a broken record, I'll just repeat this one more time. Nail down the basics, understand the business in order to serve it properly, look sanely towards new technologies that can integrate with your existing solutions in your environment, and don't skimp on the implementation. That's my advice...
Cross-posted from Following the White Rabbit