It’s time that we all came to an important and necessary conclusion: There is no silver bullet in security. There is no one product, solution, vendor or technology that is going to make you 100 percent secure. And if you’re relying on one product, you deserve a blog post all your own.
Now that we’ve all agreed on this point, let’s start talking about how we can all be working together to solve a serious problem affecting everyone. Security is a complex ecosystem with many moving parts and ideally, all of these parts work in concert together seamlessly, to protect the company. As a CISO trying to protect an organization, the last thing I need is vendors bickering or engaging in some type of turf war with one another and ultimately making it harder for me to get information. But it seems that is exactly what is happening.
Take a look at some of the latest moves by some of the biggest players in the game. Back in January, Microsoft announced that they would no longer be providing advanced notifications of their upcoming Patch Tuesday bulletins on the Thursday prior. This is, of course, unless you were willing to pay for premium support. Let’s just say that the reaction from both the vendor, and the customer side, was not positive. It made what is already a consistently difficult task even more challenging for security teams everywhere. It removed valuable planning and preparation and was motivated solely by money and not by strengthening the security ecosystem.
And don’t forget who is responsible for the Sony hack – oh you don’t know? It’s because we have no idea. No one can agree on what happened with Sony, one of the biggest hacks (headline-wise) in years.
Beyond the headlines, we have research labs and vendors unable to agree on flaws and products. The entire concept of coordinated disclosure isn’t for embarrassment or calling out a company on its flaws. It’s about protection. It’s about taking a look at software, something that is never perfect to begin with, and making it better. It’s about making sure that end users, and your company’s data, are safe. Nothing should be tossed to the side, or dismissed as “no big deal,” if it’s potentially affecting data or privacy. You know what happens when people are made aware of vulnerabilities and they don’t think it’s that big of a deal?
We are all in this security business together and we need to start acting like it. We need better coordination and communication. We are all united against a common enemy, those with malicious intent and set on trying to compromise our data and corporate crown jewels. If we are to be effective, we need to stop viewing each other as the competition and start working together.