All Those Companies that Can't Afford Dedicated Security
This is interesting:
In the security practice, we have our own version of no-man’s land, and that’s midsize companies. Wendy Nather refers to these folks as being below the “Security Poverty Line.” These folks have a couple hundred to a couple thousand employees. That’s big enough to have real data interesting to attackers, but not big enough to have a dedicated security staff and the resources they need to really protect anything. These folks are caught between the baseline and the service box. They default to compliance mandates like PCI-DSS because they don’t know any better. And the attackers seem to sneak those passing shots by them on a seemingly regular basis.
[…]
Back when I was on the vendor side, I’d joke about how 800 security companies chased 1,000 customers—meaning most of the effort was focus on the 1,000 largest customers in the world. But I wasn’t joking. Every VP of sales talks about how it takes the same amount of work to sell to a Fortune-class enterprise as it does to sell into the midmarket. They aren’t wrong, and it leaves a huge gap in the applicable solutions for the midmarket.
[…]
To be clear, folks in security no-man’s land don’t go to the RSA Conference, probably don’t read security pubs, or follow the security echo chamber on Twitter. They are too busy fighting fires and trying to keep things operational. And that’s fine. But all of the industry gatherings just remind me that the industry’s machinery is geared toward the large enterprise, not the unfortunate 5 million other companies in the world that really need the help.
I’ve seen this trend, and I think it’s a result of the increasing sophistication of the IT industry. Today, it’s increasingly rare for organizations to have bespoke security, just as it’s increasingly rare for them to have bespoke IT. It’s only the larger organizations that can afford it. Everyone else is increasingly outsourcing its IT to cloud providers. These providers are taking care of security—although we can certainly argue about how good a job they’re doing—so that the organizations themselves don’t have to. A company whose email consists entirely of Gmail accounts, whose payroll is entirely outsourced to Paychex, whose customer tracking system is entirely on Salesforce.com, and so on—and who increasingly accesses those systems using specialized devices like iPads and Android tablets—simply doesn’t have any IT infrastructure to secure anymore.
To be sure, I think we’re a long way off from this future being a secure one, but it’s the one the industry is headed toward. Yes, vendors at the RSA conference are only selling to the largest organizations. And, as I wrote back in 2008, soon they will only be selling to IT outsourcing companies (the term “cloud provider” hadn’t been invented yet):
For a while now I have predicted the death of the security industry. Not the death of information security as a vital requirement, of course, but the death of the end-user security industry that gathers at the RSA Conference. When something becomes infrastructure—power, water, cleaning service, tax preparation—customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers.
[…]
The RSA Conference won’t die, of course. Security is too important for that. There will still be new technologies, new products and new startups. But it will become inward-facing, slowly turning into an industry conference. It’ll be security companies selling to the companies who sell to corporate and home users—and will no longer be a 17,000-person user conference.
Mike B • February 22, 2013 6:22 AM
All of this of course assumed that the outsourced security model becomes dominant, especially under increasing regulatory scrutiny. First, while in theory cloud providers should be able to do a better job, if they ultimately prove that they cannot then customers with high security requirements are going to have to insource their IT and security again.
Also, regulation could prove huge here, especially if the government wants to ensure that users with high security requirements maintain responsibility and custody of their own data. Cloud providers and end users could play off each other to avoid all sorts of security liability and if the law decides the end user needs to be more responsible then outsourcing will become infeasible.
Another regulatory concern could be single point of failure. If Amazon gets pwnd and everyone uses Amazon then in one stroke the IT infrastructure of a % of the economy could be affected in one go. While everyone cooking their own IT may be less secure, it does present more barriers to an attacker looking to do real damage. Furthermore if Amazon or other cloud providers are susceptible to government spying, taxes and court orders, it could again make cloud services less desirable.
Remember we all thought manufacturing was dead in America until the hidden costs of outsourcing became clear.