I attended a dinner organized by Eastwick Communications that featured several of their security clients and a security industry analyst. The discussion grew ever more interesting as the wine glasses emptied and refilled. Here’s my notes from the evening:
- List of participants is below. Each of the security companies is working in important areas and focused on helping enterprises deal with the many risks.
- One of the companies said that security used to be difficult for startups to get funding but these days, it’s a very good sector and VCs love security companies. There’s also lots of revenue potential because of the complexity of enterprise security.
- The complexity of the security risks facing companies was repeated time and again by each of the companies.
- Deborah Gage from the Wall Street Journal asked a good question: Can private industry deal with the security issues or does it need government involvement? She didn’t receive a good answer beyond the usual response that government involvement isn’t necessary .
- We were reminded of the “fiduciary duties” that executives have towards making sure their business is protected from security risks.
- I asked what exactly are those fiduciary duties when it comes to security risks? How much is enough security? Is there a standard set?
- Private Core has an interesting approach to it’s goal of making cloud IT services as secure as your own data center. It encrypts the entire computation of an app from within the cache memory of microprocessors. It’s a much smaller attack surface.
- NSA revelations haven’t caused much concern among US enterprises but in Europe it is having a very large effect on enterprises.
- Enterprises often don’t know what devices they have connected to their networks. There are typically 5,ooo applications used by staff in a large organization.
- Apps such as Dropbox are a problem because they have APIs and their contents are shareable by many other applications, greatly magnifying risks.
- “Free” apps on phones and tablets are a worry because they are making money by sharing data on their enterprise users — it’s one of the problems with the bring-your-own-device trend.
- Security is a very good business because it is one of the few things that will get a CEO out of bed at night.
Jon Oltsik, senior analyst at the Enterprise Strategy Group, said security risks have increased because of the use of mobile, the increase in malware, and the problem that no one talks about: a big shortage of people with cyber security skills.
- I mentioned that people were still the biggest security risk and that people such as Edward Snowden were motivated by ethics and not money. It’s difficult to guard against ethical hackers — at least with money theft there’s a silver trail to follow. And I’m surprised we’ve only had one Edward Snowden.
- There was some discussion that Millennials might be a security threat because they are upset with large college debts and poor salaries. I disagree, they are much more likely to be motivated by ethics — doing the right thing — than by money.
- Security analyst Jan Oltsik ended the evening with a bang.(Despite all the security companies at the table, and the many more in the industry), he said that the enterprise security situation is bad and will worsen further unless there is a radical new approach/technology developed. But what is that radical new technology? No one had an answer.
Foremski’s Take: The security industry is constantly warning of ever greater risks to enterprises — the sky is always falling. When has a business bought enough security?
The answer seems to be that there is never enough security that you can buy. You can never have enough security is great for vendors but it’s very bad for enterprises because it leads to indecision.
The complexity of the security risks is another issue. Some of the exploits are extremely sophisticated and can only be understood by experts in their fields. To expect CIO’s to be able to asses the risks of exotic malware and other new exploits, and then take appropriate steps is not realistic. It’s overwhelming.
The complexity needs to be outsourced in some way, even though the legal liabilities can’t be outsourced easily. Enterprises need specialist service providers that stay up to date on threats and can quickly implement protective measures and policies. Otherwise, the security situation will get worse.
Also, I wonder about the competitions that companies are advertising to find bugs and flaws in their software. Only a few people are rewarded but many others become familiar with the software and better able to discover and exploit additional weaknesses. Are the bug competitions training grounds for a new generation of hackers?
What was clear from the evening’s discussion is that security is a shimmering mirage that can never be reached, and can never quench your thirst for more. It’s a very good business to be in. Between the money lost to criminals and the money spent to prevent that loss, it’s a costly tax on doing business. And it does absolutely nothing to enable commerce or improve productivity.
- - -
Participants: Lasse Andresen, CEO, ForgeRock ForgeRock is the only unified open source identity stack to protect enterprise, cloud, social and mobile applications at Internet scale. Patrick Peterson, CEO, Agari Agari provides global brands with the experience, tools, and analytics they need to eliminate email threats, protect customers and their personal data, and proactively guard brand reputation. Arvind Purushotham, Citi Ventures Citi Ventures is Citi's global corporate venturing arm, chartered to collaborate with internal and external partners to conceive, partner, launch, and scale new ventures that have the potential to disrupt and transform the financial services industry, drive client success, and generate new value for Citi.
Peter Long, CEO, Lockbox Lockbox is an end-to-end, client-side encryption platform that allows users to generate and maintain encryption keys for secure and private file sharing and storage in the cloud. Paul Stich, CEO, Appthority Appthority provides the industry’s first all-in-one App Risk Management service that employs static, dynamic and behavioral analysis to immediately discover the hidden actions of apps and empower organizations to apply custom policies to prevent unwanted app behaviors. Rob Rachwald, Senior Director, FireEye FireEye is the leader in next generation threat protection, stopping advanced malware, zero-day, and targeted APT attacks that bypass traditional defenses. Steve Weis, CTO, Private Core Private Core is a venture-backed company delivering an industry first: the ability to protect enterprise data in use by encrypting memory. Scott Gordon, CMO, ForeScout ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks.