Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Ben Johnson
Ben Johnson
Connect Directly

Tax Reform, Cybersecurity-Style

How the security industry can be more effective and efficient by recognizing four hidden "taxes" in the buying and selling process.

In the political world, taxes are an incredibly divisive, contested, and complicated issue. In everyday life, taxes are a staple, the more frequent visitor of Benjamin Franklin's adage that "nothing can be said to be certain, except death and taxes." Regardless of the time or place, if taxes come up in discussion, it's likely to be with a negative tone. That's why we hear recurring calls for tax reform.

The cybersecurity world has its own form of taxes, and it too is in need of a reform. What do I mean by that? Let's dive in.

The Procurement Tax
One would think that having a popular product or addressing a major security gap would result in a quick transaction between a buyer and seller. The reality is that it often takes multiple pitches and discussions just to get to the proof-of-concept stage. Even this is only possible if there's already a project for this type of solution. If not, the cards are stacked in favor of friction, of taxing all those involved such as value-added resellers and others, just to get into a proper evaluation. In this scenario, we might as well call meetings taxation. If you had to go through multiple demos, meetings, and paperwork before you could buy a car or TV, would you still want it?

The Implementation Tax
Let's assume you successfully procure the product or service. From here, the new capability must be deployed in the environment, taxing internal teams. The implementation phase often requires dedicated resources to get new capability to anything comparable to what was pitched during the demo.

The coordination of getting assets, like space on the ESX server or a place to drop hardware, involves a procurement and implementation process of its own. Next companies must determine who has ownership of the product and empower that team to ramp quickly, which often equates to training. This means less time is spent defending and more time is spent on forming new processes. And finally, in the modern security tech stack, if you're not integrating, automating, and orchestrating your capabilities across the existing technologies, you're playing from behind.

If you're a vendor, think about how much time it takes to close the sale, and then understand that it is after the purchase order is issued when most of the actual work for your buyer begins. Vendors would do well to think about how to reduce as much of the implementation tax as possible.

The Care-and-Feeding Tax
When the new capability is procured and implemented, are we good? Did we pay the rhetorical sales tax and are now in the clear? Sadly, no.

One of the top challenges in cybersecurity today is the shortage of skilled professionals. There simply aren't enough qualified individuals sitting in the right seats who are able to maintain the products monitoring their environments. According to a report made by Gartner last year, by 2022, there will be 1.8 million unfilled positions in cybersecurity, which means many fewer human resources are available for the care and feeding that these products require.  

The second challenge is what I like to call the deploy-and-decay problem. Deploy and decay indicates that technology and capabilities actually become worse over time rather than improve. Security requires proper, consistent care — like brushing your teeth every day — except that with large teams, cyber hygiene involves changing toothbrushes, more and different teeth, and bureaucracy.

Vendors need to understand that there are almost exclusively two kinds of users of their technology: those who do not live and breathe security, and those who do but have no time. So the actual human expertise being thrown at the products is often low, simply due to minimal experience or minimal time. And yet products continue to require a tremendous amount of care and feeding — tuning rules, playbooks, and policies. The environment is shifting and dynamic, and so are the attackers, so therefore if the landscape and the adversaries are both in motion, the defensive capabilities also need to be. This taxes the security team tremendously.

The Consulting Service Tax
If you outsource or largely leverage services, you might be thinking that the tax analogy doesn't apply. But let's say you use a managed security service provider that rarely talks to you and tries to take as much of the burden as possible. The tax there is a lack of understanding and a lack of context, so how effective is that service really? Or, if there are lots of interactions between the outsourced team and your team, then you're both paying for the service and paying in time to educate that service. So there's still a large tax to keep defenses up to par.

Now the Good News
First, like most challenges, there must be general awareness. The security industry seems to be waking up. As companies move through the process of acquiring new security capabilities, awareness will grow. It's the responsibility for customers and vendors to work together to reform the process and reduce taxes, particularly when we face challenges such as skill shortages and evolving threats.  

Secondly, some trends are inherently reducing taxes. Software-as-a-service (SaaS) products provide an easier, faster procurement and implementation process. The taxes around care and feeding go down because with cloud back ends, the vendors gain visibility into how the solutions are performing, which allows for faster feedback loops and further refinement. Maintenance pain points such as patching and performing other system administration on self-hosted solutions also are greatly reduced with a SaaS approach.

Thirdly, with cloud-based back ends and data sets, it's often easier to share information, either inside a particular vendor across its customer base or between organizations that want to utilize the collective expertise to improve threat intelligence. So there's more collaboration in less time, which should be a net positive.

Finally, we need to grasp advancements in machine intelligence and automation to help make a dent in the tuning process. By observing events within a particular solution and understanding how humans interact with them, tools should adapt to optimize the human-machine interactions. Teams can become more effective through self-optimizing technology.

We used to have a saying that each attack should make the entire community stronger — does each interaction with a product make it stronger? We can hope. And we can act. By recognizing the hidden costs of cybersecurity, we can begin the work toward reclaiming time and money. The burden is on all of us to come together to improve, so let's make 2018 a year where cybersecurity tax reform starts to take hold.

Related Content:


Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
PUBLISHED: 2019-11-20
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
PUBLISHED: 2019-11-20
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
PUBLISHED: 2019-11-20
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...