Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Ben Johnson
Ben Johnson
Connect Directly

Tax Reform, Cybersecurity-Style

How the security industry can be more effective and efficient by recognizing four hidden "taxes" in the buying and selling process.

In the political world, taxes are an incredibly divisive, contested, and complicated issue. In everyday life, taxes are a staple, the more frequent visitor of Benjamin Franklin's adage that "nothing can be said to be certain, except death and taxes." Regardless of the time or place, if taxes come up in discussion, it's likely to be with a negative tone. That's why we hear recurring calls for tax reform.

The cybersecurity world has its own form of taxes, and it too is in need of a reform. What do I mean by that? Let's dive in.

The Procurement Tax
One would think that having a popular product or addressing a major security gap would result in a quick transaction between a buyer and seller. The reality is that it often takes multiple pitches and discussions just to get to the proof-of-concept stage. Even this is only possible if there's already a project for this type of solution. If not, the cards are stacked in favor of friction, of taxing all those involved such as value-added resellers and others, just to get into a proper evaluation. In this scenario, we might as well call meetings taxation. If you had to go through multiple demos, meetings, and paperwork before you could buy a car or TV, would you still want it?

The Implementation Tax
Let's assume you successfully procure the product or service. From here, the new capability must be deployed in the environment, taxing internal teams. The implementation phase often requires dedicated resources to get new capability to anything comparable to what was pitched during the demo.

The coordination of getting assets, like space on the ESX server or a place to drop hardware, involves a procurement and implementation process of its own. Next companies must determine who has ownership of the product and empower that team to ramp quickly, which often equates to training. This means less time is spent defending and more time is spent on forming new processes. And finally, in the modern security tech stack, if you're not integrating, automating, and orchestrating your capabilities across the existing technologies, you're playing from behind.

If you're a vendor, think about how much time it takes to close the sale, and then understand that it is after the purchase order is issued when most of the actual work for your buyer begins. Vendors would do well to think about how to reduce as much of the implementation tax as possible.

The Care-and-Feeding Tax
When the new capability is procured and implemented, are we good? Did we pay the rhetorical sales tax and are now in the clear? Sadly, no.

One of the top challenges in cybersecurity today is the shortage of skilled professionals. There simply aren't enough qualified individuals sitting in the right seats who are able to maintain the products monitoring their environments. According to a report made by Gartner last year, by 2022, there will be 1.8 million unfilled positions in cybersecurity, which means many fewer human resources are available for the care and feeding that these products require.  

The second challenge is what I like to call the deploy-and-decay problem. Deploy and decay indicates that technology and capabilities actually become worse over time rather than improve. Security requires proper, consistent care — like brushing your teeth every day — except that with large teams, cyber hygiene involves changing toothbrushes, more and different teeth, and bureaucracy.

Vendors need to understand that there are almost exclusively two kinds of users of their technology: those who do not live and breathe security, and those who do but have no time. So the actual human expertise being thrown at the products is often low, simply due to minimal experience or minimal time. And yet products continue to require a tremendous amount of care and feeding — tuning rules, playbooks, and policies. The environment is shifting and dynamic, and so are the attackers, so therefore if the landscape and the adversaries are both in motion, the defensive capabilities also need to be. This taxes the security team tremendously.

The Consulting Service Tax
If you outsource or largely leverage services, you might be thinking that the tax analogy doesn't apply. But let's say you use a managed security service provider that rarely talks to you and tries to take as much of the burden as possible. The tax there is a lack of understanding and a lack of context, so how effective is that service really? Or, if there are lots of interactions between the outsourced team and your team, then you're both paying for the service and paying in time to educate that service. So there's still a large tax to keep defenses up to par.

Now the Good News
First, like most challenges, there must be general awareness. The security industry seems to be waking up. As companies move through the process of acquiring new security capabilities, awareness will grow. It's the responsibility for customers and vendors to work together to reform the process and reduce taxes, particularly when we face challenges such as skill shortages and evolving threats.  

Secondly, some trends are inherently reducing taxes. Software-as-a-service (SaaS) products provide an easier, faster procurement and implementation process. The taxes around care and feeding go down because with cloud back ends, the vendors gain visibility into how the solutions are performing, which allows for faster feedback loops and further refinement. Maintenance pain points such as patching and performing other system administration on self-hosted solutions also are greatly reduced with a SaaS approach.

Thirdly, with cloud-based back ends and data sets, it's often easier to share information, either inside a particular vendor across its customer base or between organizations that want to utilize the collective expertise to improve threat intelligence. So there's more collaboration in less time, which should be a net positive.

Finally, we need to grasp advancements in machine intelligence and automation to help make a dent in the tuning process. By observing events within a particular solution and understanding how humans interact with them, tools should adapt to optimize the human-machine interactions. Teams can become more effective through self-optimizing technology.

We used to have a saying that each attack should make the entire community stronger — does each interaction with a product make it stronger? We can hope. And we can act. By recognizing the hidden costs of cybersecurity, we can begin the work toward reclaiming time and money. The burden is on all of us to come together to improve, so let's make 2018 a year where cybersecurity tax reform starts to take hold.

Related Content:


Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 ( and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...
PUBLISHED: 2020-02-20
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file whic...
PUBLISHED: 2020-02-20
Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory.