You would think that this is the perfect time to be a security vendor. Humiliating breaches lurk around every corner. Denial of service attacks grow ever larger. Bedrock platforms turn out to have (shell)shocking holes. The media love the scent of blood in the water and they keep the papers black, white, and red. It is boom times for security vendors. So what is there to complain about?
We’re going to have to change the way we sell security, that’s what.
Since 2010, security vendors have been developing ever more impressive, but specialized, security gizmos. It used to be easy to sell targeted security products because every gizmo would get air cover from the concept of defense in depth. Conceived of by the military prior to the digital age, defense in depth is the idea that more layers of defense equal a stronger security posture. For vendors, defense in depth meant it was all right if their gizmo didn’t offer wide protection because some other vendor’s gizmos would plug the holes. Forrester analyst Rick Holland called this philosophy “Expense in Depth – the multilayered approach to ensuring minimal return on investment.''
These days, when a point product gets pitched to a CSO, the response is likely to be, “Looks like a nifty gizmo, but I can’t deploy it—I just don’t have the staff.”
The IT skills shortage has become epidemic. There simply aren’t any security people available to hire. For five years now, the unemployment rate for InfoSec professionals has been less than 2% (and often 0%). The tight job market for people with security skills has had a predictable impact on wages: According to Payscale, in 2014, half of all security architects made more than $120K: that’s 50% more than the average software engineer—and a whopping 300% what a licensed nurse practitioner makes. People with security skills command more pay, leave for startups, or get poached for cushier jobs with better titles (ahem). ESG’s Jon Oltsik wrote that his #1 prediction for 2015 is “Widespread impact from the cybersecurity skills shortage.”
Normally the market fixes problems like this: rising wages in any field should attract new applicants to the business. But security doesn’t work that way. Security is harder to teach than other skills. Security is a mindset. A zeitgeist. Even a religion for some. People with the mindset are rare; like good coders and clever similes, they are hard to come by. Case in point, MasterCard is suing one of its own customers, Nike, for $5 million for poaching two of its cyber security managers.
So now what?
What should CSOs do? Without a dotcom crash, they can’t get the security people back from the startups that poached them.
Some smart CSOs are consolidating their security platforms. Partners and resellers offer packages around common platforms. The Next Generation Firewall (NGFW) vendors are collapsing network firewall and outbound web security into a single platform. IDS vendors are also integrating NGFW functionality. As Forrester Analyst John Kindervag said in his Dec. 2013 “Market Overview: Network Segmentation Gateways,” consolidating adjacent security functions into platforms like network segmentation gateways help organizations move toward what Forrester calls a ‘Zero Trust Model.’
Organizations are also starting to turn to cloud providers not just for availability but for security, as well. The cloud companies can gather security staff and then amortize that experience across hundreds of customers. Cloud architecture is relatively new, as well, since today’s clouds don’t necessarily have to take into account the ancient legacy applications that many of yesterday’s businesses are built around. This leads to a smaller threat surface for cloud platforms.
The forces pushing against defense in depth are unlikely to change in the near term. The skills shortage will continue, and cloud adoption rates will rise, which will exert pressure on IT organizations for other skillsets they lack. In 2015, the term “defense in depth” may decline in broader usage. Like the security personnel who used to practice it, defense in depth may find a new home among the clouds, where it will likely take a different name.
“Your propeller-head infosec techie that can crack packets wide open is more important than any tool you can buy,” said Ken Athanasiou, CSO of AutoNation, during a recent panel at an FBI Infragard event. “If you’ve got someone like that, make sure you keep them happy.”
But, in the meantime, for all other CSOs, “defense in depth” falls on deaf ears. Because for them, it’s all about the skills shortage.