Some of the most affable salespersons any of us have ever encountered are in the business of selling security.
The business of security takes on many personas: technology, intelligence, awareness, knowledge, automation, hardware, software, legal, identity, BYOD, privacy, insider or outsider, risk and risk tolerance, and identity. At the recent RSA Conference 2014, many presentations touched one or more of these areas of focus, all with the intent of imparting shared information—knowledge, if you will—for the attendees to better understand the business called security.
The panel session "One Year Later: Lessons and Unintended Consequences of the APT1 Report" was hosted by Gal Shpantzer, Contributing Analyst, Securosis Analyst Firm, and a panel of four, all working in the business of security. This panel consisted of Lance James, Head of Intelligence, Vigilant by Deloitte; Martin McKeay, Security Evangelist, Akamai Technologies; John Prisco, President and Chief Executive Officer, Triumfant; and Nick Selby, Chief Executive Officer, StreetCred Software, Inc. The group as a whole noted that technology alone was not going to solve the problem of security. McKeay specifically commented that "if you are a small-medium business (SMB), don't try and build your technological solutions yourself—find an outsource." He continued, somewhat tongue in cheek, to suggest that compromised companies were adopting the "go ahead and compromise me—my stock will go up" attitude.
This may not necessarily be the glass-half-full attitude one would expect from business leaders, but markets seemingly agree. Those in the business of selling security need only focus on the reality of what happens when you look into the end of the data breach hose—namely, you're going to get hit with a gushing stream of data breaches that have occurred in the past six months.
Shelby noted that the reality is that the business of security needs a new lens, while Prisco commented that we can continue to expect to see headlines about the "sloppiest of these [breach] stories every month." He recommended infusing technology as a leverage point and that those of us in the business of security should apply more technology to the breach problem. James, for his part, noted that human mistakes have continued to repeat themselves in these situations, which is indicative that those involved in security as a business are missing the "why" motivators behind breaches.
If we wish to remain in the business of security, we must transition from whiz-bang data overload to providing actionable information that can shape business outcomes.