News & Commentary
6/30/2017
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Case for Crowdsourcing Security Buying Decisions

Why our industry needs a sharing platform with open and transparent access to peer knowledge, meaningful metrics, and transparency around security products and services

The Internet has forever changed the balance of power around information. To help illustrate this point, consider the process of buying an expensive item or hiring someone for a large project. Years ago, the buyer (the consumer) was at a tremendous disadvantage because of his or her information deficit. The seller (the person performing the work or the retailer) held all of the cards. The seller knew what his or her costs were, what profit and margin would be made at various different price points, and precisely what other options the buyer may or may not have had. Thus the chance of the buyer making an educated and informed decision was nearly non-existent.

Fast forward to today. Regardless of what I am looking to purchase, as the buyer, I have access to a wealth of information. In addition to technical and financial details, I also have access to another source of information - one that is potentially the most valuable of them all.  What is this secret weapon I am referring to? The experiences of my peers. Sometimes, the best way to understand what buying a product or service really entails is to ask those who have bought it previously.

Of course, we’re all familiar with numerous examples of this transfer of knowledge across many different industries.  But for some reason, this seismic shift hasn’t made its way to security’s crowded and complex marketplace which is overflowing with both buyer and seller confusion.

Let’s examine some of the reasons why this may be the case:

  • Immaturity: Security is still a relatively young and immature market.  Definitive and utilitarian criteria and metrics by which value can be measured are difficult to come by.
  • Confusion: Value is hard to measure. This makes it difficult to  weigh the pros and cons of various options and separate  solutions that may fit one set of requirements from those that do not.
  • ‘Drowning in Information:’ To be more precise, in security information, there isn’t so much an information deficit as there is a knowledge deficit on the side of the buyer.  As John Naisbitt wrote in his 1982 book Megatrends, “We are drowning in information but starved for knowledge.”  There is certainly no shortage of information out there, but it is generally not the right type of information, certainly not the type of information needed to help buyers gain knowledge and make educated buying decisions.
  • Secrecy: There are some organizations that evaluate security offerings for buyers, though the mechanisms behind the evaluations are far from open and transparent.  Without knowing how these organizations perform their evaluations, who was included, and how the organization operates, it can be difficult to understand how to interpret the results.

A Sharing Platform for Security
There’s no easy answer to these challenges. But imagine a platform that provides open and transparent access to peer knowledge, meaningful metrics, clarity, and transparency around security products and services. Here’s what that might look like:

  • Peers: Often the best way to find out how something truly works, what problems it solves, where it exceeds expectations, and where it needs improvement is simply to ask your peers.  If you have a strong network of peers who have experience with the same products and services you are evaluating, then those people will be a tremendous resource during your buying process.  And if you don’t? That’s where a sharing platform could be most useful.
  • Metrics: The buying process is difficult enough on its own.  But not having reliable and meaningful metrics to evaluate potential vendor, and the progress and success of the project after the buying decision complicates matters even further.  Benchmarks and metrics that show progress as the organization works to improve its security posture are sorely needed. Building benchmarks and metrics into a sharing platform would be also a big boon to better buying decisions.
  • Clarity: Sources and tools that can cut through the marketing hype to show what a product or service truly offers in an easily digestible format are sorely needed in the security field.  Here is another concept that’s on my wishlist for a security sharing platform.
  • Transparency:  When buyers know the rules of the game and how the different players operate, they are more likely to trust the results.  More trust in the results means that those results will provide more help and guidance during the buying process.  In other words, if I have access, via a trusted platform, to information that is provided to me in an open and transparent manner and that comes from my peers, my confidence that the data has not been “tainted” by specific interests will be higher.

Security buying decisions, like all buying decisions, cannot be made in a vacuum. As our profession continues to mature, we need to do a better job equipping and empowering security buyers to make the right decisions for their respective organizations.  Otherwise, I see no end in sight to the market confusion we’re experiencing currently.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
josh@idrra.com
50%
50%
josh@idrra.com,
User Rank: Apprentice
7/6/2017 | 12:56:13 PM
Re: Humans as "early-warning systems"
Interesting perspective - thank you Joe.
josh@idrra.com
50%
50%
josh@idrra.com,
User Rank: Apprentice
7/6/2017 | 12:54:02 PM
Re: What about IT Central Station?
Thank you for the comment.  I have a few ideas here.  If you would like to reach out to me privately, I would be happy to discuss further.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/6/2017 | 12:33:33 PM
Humans as "early-warning systems"
As things stand now, when humans are your "early-warning system," it's generally already too late.

Thus, getting people involved in these ways early, before something goes *way* wrong (so wrong that they would seek IT/InfoSec teams out on their own), can be immeasurably helpful. I absolutely agree with the notion that "more eyes" can help here from a practical point of view.

Of course, just don't go overboard with it. Invite input, bear in mind that all users are stakeholders, but know where the buck stops.
brendonjwilson
50%
50%
brendonjwilson,
User Rank: Apprentice
7/3/2017 | 2:00:45 PM
What about IT Central Station?
Totally agree with the article on the need. Bootstrapping a new two-sided marketplace for sharing information can be a hard problem to solve in a scalable fashion.

I did come across IT Central Station two years ago, but the information on the site was pretty thin on the ground, as was the catalog of products covered. I'm not sure if it's gotten better.

Anyone have any experience with IT Central Station?
josh@idrra.com
50%
50%
josh@idrra.com,
User Rank: Apprentice
6/30/2017 | 12:05:56 PM
Re: Crowdsourcing and Open Sourcing Security
Thank you, Christian, great comment.  Very much appreciate your thoughts on this.  I have some ideas here -- please feel free to reach out to me privately, and I'd be happy to discuss further.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/30/2017 | 11:55:59 AM
Crowdsourcing and Open Sourcing Security
You don't have to convince me.  Coming from the FOSS (Free and Open Source Software) world, I'm all about open and accessible metrics, code transparency, peer collaboration and "show me the code" clarity.  But in drawing that comparison I can say right away that there will be huge hurdles.  It took a long time for FOSS to be ubiquitous to where the average computer user knew what GNU/Linux was, or could name more than one of the top 10 popular FOSS languages.  As another DR reader noted, PGP has been around a long time, and we FOSSers have been doing "security" for decades.  But that's us.  The practice of secure coding and global collaborative development has been fairly steady and flat out works.

It would be nice to see a stab at the solutions, though.  You nailed the reasons why we aren't there yet when it comes to security for the average user as developed, support and delivered by the "megacorps", let alone Enterprise security.  Could the answer be somewhere in the FOSS story, I wonder?

 

 
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.