We Information Security professionals are a cynical bunch.
I asked on Twitter for some of you to reply to me, answering the following question:
"Describe Enterprise Security" in 3 words, add the #EntSec hashtag to it. And you probably wouldn't be surprised what sorts of things people replied with.
Here's a list of some of the most interesting answers:
- "lack of funds"
- tactical, overwhelmed, undefined"
- "frozen in 2003"
- evolving, broken, compliance
- misunderstood, under-appreciated, compromised
- appliances, applications, misguided
- "cover executive a**es"
- governance, visibility, structure
- collaboration, prioritization, strategy
- triaging, fighting, futility
- prevent, detect, learn
- detect, prosecute, repeat
- "perception trumps truth"
- unmeasured, unfocused, unwilling
- "immature data science"
- "responsibility without authority"
The whole list (which is still growing) can be found here: https://docs.google.com/spreadsheet/ccc?key=0AuxqUM2iglwjdC1FUS1teER5ZldWaFV5NlBwQURUMkE&hl=en_US
If you wish to contribute, just reply to me (@Wh1t3Rabbit) on Twitter, with the hashtag #EntSec ...
I don't think it takes a rocket scientist to analyze what is going on here.
We're cynical. We're sick of vendors selling our management on solutions that don't actually solve anything, and tend to continue to cram our network closets and data centers with devices we can't hope to manage.
In fact, many security professionals and information security management alike are getting fed up with vendors who don't take the time to understand the issues they're facing - and simply to to sell, sell, sell... If you want evidence take a listen to Episode 4 of "Down the Rabbithole"...
I have 2 guests who are security managers at very small companies, listen to their advice to their vendors (link here).
There is another side to the coin, and I think this means opportunity. For every negative there is a chance to fix it, and I firmly believe that not all vendors are created equal.
I think plenty of us vendors listen to our customers, and attempt to provide actual solutions once we've taken the time to identify a problem.
Let me propose a step forward, then. Vendors - let's make sure we understand our customers. Consumers - please take the time to articulate what struggles you have, what makes work-life difficult, and the true nature of your security problems.
I think too often consumers of security products and services are so careful not to disclose anything, that they don't give the vendor a chance to understand them better.
Yes, this means I'm blaming both sides, almost equally.
Let's raise awareness together, and start solving some actual problems. It's crystal-clear we can be cynical... but can we actually make some lemonade here?
Cross-posted from Following the White Rabbit