Anyone who has been in Information Security for any length of time knows the difficultly of getting people to listen — the frustrating challenge in convincing people to take security seriously. In the enterprise, every single InfoSec budget dollar is painfully scrutinized. Every security decision resisted. Many feel that no matter what InfoSec pros say or do, those they’re responsible for protecting prefer to wait for something bad to happen first. In the meantime InfoSec laments how no one listens, and when an incident eventually does happen, it will ambulance chase and cry “told you so!”
Maybe the resistance is warranted though. Maybe after the world spends $75 billion annually on InfoSec, only to see the hacks large and small continue on, become more damaging, and threat actors more brazen, people are justifiably skeptical of our value. In the eyes of many, InfoSec at best is seen as a necessary evil. InfoSec’s performance (or lack thereof) and this skepticism is why we now see billions of dollars flowing toward cyber-insurance premiums to cover breach costs, dollars NOT going directly toward preventing break-ins. This is a wake-up call and clear signal that InfoSec is in the midst of an credibility crisis, a crisis that puts everyone at risk.
It also doesn’t help when the websites of security certification providers are laced with malware, when popular security software packages such as anti-virus are riddled with vulnerabilities that make customers less safe, or when major incident response vendors themselves suffer their own data breaches. Our work is too important to continue with the status quo. We need to turn things around, and as such, InfoSec has an important choice to make. InfoSec can either choose to continue pointing fingers, complaining about the same things over and over year after year, or as an industry we can take responsibility and do something about it.
First and foremost, we must find ways to improve InfoSec’s credibility and measurably prove its worth. One way to do that, a way that stands above all others, is for security vendors to contractually guarantee that their products and services will perform as advertised. Guarantees like we see and expect from every other major industry in the world. InfoSec is an incredibly confusing space, littered with snake-oil and charlatans, so when security vendors are willing to provide guarantees and SLAs, it builds trust that differentiates them like nothing else can. Security guarantees are the biggest opportunity for every security practitioner and vendor to make a real difference and everyone needs to get involved.