Like most organisations, we like to think we’re different. We’ve been discussing this again only yesterday at our SMT meeting. Sadly, the reality is that everyone is making the same noise, fighting for mindshare, for that hour of your time, that chat over a coffee. And of course everyone can help you with your cloud and mobility challenges. By that reckoning, with the amount of vendors and resellers in the space, we’ll have this security thing licked sometime this year - right? Maybe, right after GDPR...
Interestingly, the figures show that despite increases in spending over the last few years we’ve seen an almost direct correlation with the amount of breaches - specifically a three-fold increase in both (albeit I don’t have the 2017 numbers just yet - perhaps there were so many, they’re still counting! )
So, despite all of this increased spending and this increased awareness, we aren’t getting any more secure? Hmmm….maybe we’re spending it wrong? maybe we’re looking at this in the wrong way?……
Just recently, a CISO friend of mine posted on LinkedIn about Microsoft’s Anti-Virus being discounted “just because” and I agree with him. I’m not agreeing because I’m a suck-up (he knows that's not my style!), but instead because it makes sense. Windows 10 is night and day better in terms of its design (e.g. no more 'kernel access for anything') and the anti-malware engine is demonstrably good too, as highlighted in this post that he shared. It simply works in the background and best of all, can free up significant budget - the same budget that has been spent for years on AV (boo-hoo all of you dinosaurs that have dined out on this for 25 years.)
I’m going to make a bold statement here and it's this:
“Better a 90% effective security solution that is fully embraced by your users, than a 100% effective solution that is subverted.”
There has recently been a post on The Register discussing this very thing and having spent the last 2 years thinking about how we can truly help our customers, I have come to the conclusion that it has to start with the users. They’re not wilfully being difficult - they simply want to get on with their day job. They're not interested in IT 'per se', and they have no desire to wrestle with the idiosyncrasies that we more geeky folk are happy work with. They don’t want to have to remember a 16 character, upper-case, number, and symbol password - changed every 30 days. It’s a pain in the backside, so don’t be surprised when they write it on a Post-It note. And don’t berate them either.
When I explain what makes Bridgeway different to new starters and potential customers, I use a simple analogy; “Remember when you used to have to enter your pin after 2 minutes on your iPhone, so you turned security off because it was a pain? And how easy it is now to just use your thumb or finger with TouchID?”
That is what the industry needs to focus on - making security easier for the everyday user. If the stats above are anything to go by, throwing more and more money at it hasn't delivered.
I’ll leave you with my bold statement - comments and challenges always most welcome.