RSA is going on this week. RSA is the big yearly gathering of security vendors and specialists where training and discussion take place big time. When I think about RSA, an image comes to mind. A few years back, during the opening Keynote, Art Coviello, the CEO of RSA, came onstage and made a presentation that left everyone with a strange feeling. For twenty minutes, he made the case for how the security industry was failing. He showed statistics about how data breaches were going up, how there were more vendors in the industry, and how more money was being spent on security without a valid return on investment. What was unsettling is that he did not present any solutions to the problem. He was basically presenting the problem to the audience, who he considered the most important security experts in the industry.
I think if he did the presentation today, he would still be right. The cyber security market is estimated to grow to $170B by 2020 with a CAGR of 8.1%. According to Gartner, the average selling price for firewall is going up 2-3% per year. Inspection and DLP is deployed more and more. On the other side, data breaches, and amount of information breached, is growing year over year. There are 3.9M records breached EVERY DAY. Sadly, we have not made huge progress as an industry.
One of the reasons for this is the perspective that we take on the problem. Over the last 20 years, people have been building walls. Security was all about building a fortress around your network. These walls were designed to protect the infrastructure from external attackers and prevent them from coming in and stealing data. But this approach did not cover the major threats like insider threats by employees who are looking for a second-stream of revenue to launch new careers or simply sabotage the organization. It also did not include the larger threat of willing employees that may misbehave by mistake. For example, employees getting phished for passwords can be the weakest link in your organization. Humans are fallible after all, and this is where attackers are increasingly focussing their efforts.
Lately, there has been shift in perpective though. Organization are starting to monitor and secure their entire infrastructure. Many vendors are now offering solutions to do this including using AI analysis and plenty of new and cool technologies. This handles the problem from the same end of the stick though, the attacker perspective by trying to understand what the attacker might do, and prevent the attack from happening. This is a never-ending battle, as attackers are smart, so they will continue to find new ways to get at an organization's infrastructure and data. On the flip side, we continue to spend more money building better walls and surveillance apparatus.
In order to solve this problem, we need to take a different perspective. We need to look at what we are trying to protect - data. If we can protect data, the walls become irrelevant. Do you know where your sensitive data is? Do you know where your sensitive data is stored? The large majority of data leaks reported to the federal government for HIPAA violations were leaked from servers by hackers or IT mistakes (like reducing security levels to apply a patch and forgetting to re-enable it).
With the explosion of unstructured data, and the growing adoption of cloud solutions, including file sharing and collaboration solutions, data is now in more and more locations making it harder and harder to secure. Just look at the Microsoft Suite: it started with Exchange and file servers, then Sharepoint, all three went to the cloud, and then add Yammer, OneDrive, and Groups. Now you can find data in a whole host of locations, and I haven't even mentioned Slack or Box.com. So how do we reduce our risk in light of this increase in sharing locations, especially when the weakest link is the user?
I'd like to propose a 4-step process to solve the issue. The first step is to run a data audit to identify where you sensitive data lives. The second step is to decide the value of the data, and whether or not it needs to be secured or destroyed. The third step, remediation, allows you to change processes or train users on where sensitive data should be located. Finally, a monitoring program where you regularly audit your locations at low cost ensures that you continue to minimize your risks over time.
This four step process helps you take a fresh perspective on security by looking at the data you care about instead of focussing efforts on staying one step ahead of the attackers. Netmail sells audit tools to help you do just that. There is no point in building a fortress with gun-carrying guards protecting the perimeter if there are stacks of cash all over the place. Why not take that money and put it in the bank?