Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Ben Johnson
Ben Johnson
Connect Directly

Tax Reform, Cybersecurity-Style

How the security industry can be more effective and efficient by recognizing four hidden "taxes" in the buying and selling process.

In the political world, taxes are an incredibly divisive, contested, and complicated issue. In everyday life, taxes are a staple, the more frequent visitor of Benjamin Franklin's adage that "nothing can be said to be certain, except death and taxes." Regardless of the time or place, if taxes come up in discussion, it's likely to be with a negative tone. That's why we hear recurring calls for tax reform.

The cybersecurity world has its own form of taxes, and it too is in need of a reform. What do I mean by that? Let's dive in.

The Procurement Tax
One would think that having a popular product or addressing a major security gap would result in a quick transaction between a buyer and seller. The reality is that it often takes multiple pitches and discussions just to get to the proof-of-concept stage. Even this is only possible if there's already a project for this type of solution. If not, the cards are stacked in favor of friction, of taxing all those involved such as value-added resellers and others, just to get into a proper evaluation. In this scenario, we might as well call meetings taxation. If you had to go through multiple demos, meetings, and paperwork before you could buy a car or TV, would you still want it?

The Implementation Tax
Let's assume you successfully procure the product or service. From here, the new capability must be deployed in the environment, taxing internal teams. The implementation phase often requires dedicated resources to get new capability to anything comparable to what was pitched during the demo.

The coordination of getting assets, like space on the ESX server or a place to drop hardware, involves a procurement and implementation process of its own. Next companies must determine who has ownership of the product and empower that team to ramp quickly, which often equates to training. This means less time is spent defending and more time is spent on forming new processes. And finally, in the modern security tech stack, if you're not integrating, automating, and orchestrating your capabilities across the existing technologies, you're playing from behind.

If you're a vendor, think about how much time it takes to close the sale, and then understand that it is after the purchase order is issued when most of the actual work for your buyer begins. Vendors would do well to think about how to reduce as much of the implementation tax as possible.

The Care-and-Feeding Tax
When the new capability is procured and implemented, are we good? Did we pay the rhetorical sales tax and are now in the clear? Sadly, no.

One of the top challenges in cybersecurity today is the shortage of skilled professionals. There simply aren't enough qualified individuals sitting in the right seats who are able to maintain the products monitoring their environments. According to a report made by Gartner last year, by 2022, there will be 1.8 million unfilled positions in cybersecurity, which means many fewer human resources are available for the care and feeding that these products require.  

The second challenge is what I like to call the deploy-and-decay problem. Deploy and decay indicates that technology and capabilities actually become worse over time rather than improve. Security requires proper, consistent care — like brushing your teeth every day — except that with large teams, cyber hygiene involves changing toothbrushes, more and different teeth, and bureaucracy.

Vendors need to understand that there are almost exclusively two kinds of users of their technology: those who do not live and breathe security, and those who do but have no time. So the actual human expertise being thrown at the products is often low, simply due to minimal experience or minimal time. And yet products continue to require a tremendous amount of care and feeding — tuning rules, playbooks, and policies. The environment is shifting and dynamic, and so are the attackers, so therefore if the landscape and the adversaries are both in motion, the defensive capabilities also need to be. This taxes the security team tremendously.

The Consulting Service Tax
If you outsource or largely leverage services, you might be thinking that the tax analogy doesn't apply. But let's say you use a managed security service provider that rarely talks to you and tries to take as much of the burden as possible. The tax there is a lack of understanding and a lack of context, so how effective is that service really? Or, if there are lots of interactions between the outsourced team and your team, then you're both paying for the service and paying in time to educate that service. So there's still a large tax to keep defenses up to par.

Now the Good News
First, like most challenges, there must be general awareness. The security industry seems to be waking up. As companies move through the process of acquiring new security capabilities, awareness will grow. It's the responsibility for customers and vendors to work together to reform the process and reduce taxes, particularly when we face challenges such as skill shortages and evolving threats.  

Secondly, some trends are inherently reducing taxes. Software-as-a-service (SaaS) products provide an easier, faster procurement and implementation process. The taxes around care and feeding go down because with cloud back ends, the vendors gain visibility into how the solutions are performing, which allows for faster feedback loops and further refinement. Maintenance pain points such as patching and performing other system administration on self-hosted solutions also are greatly reduced with a SaaS approach.

Thirdly, with cloud-based back ends and data sets, it's often easier to share information, either inside a particular vendor across its customer base or between organizations that want to utilize the collective expertise to improve threat intelligence. So there's more collaboration in less time, which should be a net positive.

Finally, we need to grasp advancements in machine intelligence and automation to help make a dent in the tuning process. By observing events within a particular solution and understanding how humans interact with them, tools should adapt to optimize the human-machine interactions. Teams can become more effective through self-optimizing technology.

We used to have a saying that each attack should make the entire community stronger — does each interaction with a product make it stronger? We can hope. And we can act. By recognizing the hidden costs of cybersecurity, we can begin the work toward reclaiming time and money. The burden is on all of us to come together to improve, so let's make 2018 a year where cybersecurity tax reform starts to take hold.

Related Content:


Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-24
499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.
PUBLISHED: 2020-11-24
An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went throu...
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s):,,,
PUBLISHED: 2020-11-24
HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.
PUBLISHED: 2020-11-24
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.