Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

6/30/2017
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Case for Crowdsourcing Security Buying Decisions

Why our industry needs a sharing platform with open and transparent access to peer knowledge, meaningful metrics, and transparency around security products and services

The Internet has forever changed the balance of power around information. To help illustrate this point, consider the process of buying an expensive item or hiring someone for a large project. Years ago, the buyer (the consumer) was at a tremendous disadvantage because of his or her information deficit. The seller (the person performing the work or the retailer) held all of the cards. The seller knew what his or her costs were, what profit and margin would be made at various different price points, and precisely what other options the buyer may or may not have had. Thus the chance of the buyer making an educated and informed decision was nearly non-existent.

Fast forward to today. Regardless of what I am looking to purchase, as the buyer, I have access to a wealth of information. In addition to technical and financial details, I also have access to another source of information - one that is potentially the most valuable of them all.  What is this secret weapon I am referring to? The experiences of my peers. Sometimes, the best way to understand what buying a product or service really entails is to ask those who have bought it previously.

Of course, we’re all familiar with numerous examples of this transfer of knowledge across many different industries.  But for some reason, this seismic shift hasn’t made its way to security’s crowded and complex marketplace which is overflowing with both buyer and seller confusion.

Let’s examine some of the reasons why this may be the case:

  • Immaturity: Security is still a relatively young and immature market.  Definitive and utilitarian criteria and metrics by which value can be measured are difficult to come by.
  • Confusion: Value is hard to measure. This makes it difficult to  weigh the pros and cons of various options and separate  solutions that may fit one set of requirements from those that do not.
  • ‘Drowning in Information:’ To be more precise, in security information, there isn’t so much an information deficit as there is a knowledge deficit on the side of the buyer.  As John Naisbitt wrote in his 1982 book Megatrends, “We are drowning in information but starved for knowledge.”  There is certainly no shortage of information out there, but it is generally not the right type of information, certainly not the type of information needed to help buyers gain knowledge and make educated buying decisions.
  • Secrecy: There are some organizations that evaluate security offerings for buyers, though the mechanisms behind the evaluations are far from open and transparent.  Without knowing how these organizations perform their evaluations, who was included, and how the organization operates, it can be difficult to understand how to interpret the results.

A Sharing Platform for Security
There’s no easy answer to these challenges. But imagine a platform that provides open and transparent access to peer knowledge, meaningful metrics, clarity, and transparency around security products and services. Here’s what that might look like:

  • Peers: Often the best way to find out how something truly works, what problems it solves, where it exceeds expectations, and where it needs improvement is simply to ask your peers.  If you have a strong network of peers who have experience with the same products and services you are evaluating, then those people will be a tremendous resource during your buying process.  And if you don’t? That’s where a sharing platform could be most useful.
  • Metrics: The buying process is difficult enough on its own.  But not having reliable and meaningful metrics to evaluate potential vendor, and the progress and success of the project after the buying decision complicates matters even further.  Benchmarks and metrics that show progress as the organization works to improve its security posture are sorely needed. Building benchmarks and metrics into a sharing platform would be also a big boon to better buying decisions.
  • Clarity: Sources and tools that can cut through the marketing hype to show what a product or service truly offers in an easily digestible format are sorely needed in the security field.  Here is another concept that’s on my wishlist for a security sharing platform.
  • Transparency:  When buyers know the rules of the game and how the different players operate, they are more likely to trust the results.  More trust in the results means that those results will provide more help and guidance during the buying process.  In other words, if I have access, via a trusted platform, to information that is provided to me in an open and transparent manner and that comes from my peers, my confidence that the data has not been “tainted” by specific interests will be higher.

Security buying decisions, like all buying decisions, cannot be made in a vacuum. As our profession continues to mature, we need to do a better job equipping and empowering security buyers to make the right decisions for their respective organizations.  Otherwise, I see no end in sight to the market confusion we’re experiencing currently.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
josh@idrra.com
50%
50%
[email protected],
User Rank: Apprentice
7/6/2017 | 12:56:13 PM
Re: Humans as "early-warning systems"
Interesting perspective - thank you Joe.
josh@idrra.com
50%
50%
[email protected],
User Rank: Apprentice
7/6/2017 | 12:54:02 PM
Re: What about IT Central Station?
Thank you for the comment.  I have a few ideas here.  If you would like to reach out to me privately, I would be happy to discuss further.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/6/2017 | 12:33:33 PM
Humans as "early-warning systems"
As things stand now, when humans are your "early-warning system," it's generally already too late.

Thus, getting people involved in these ways early, before something goes *way* wrong (so wrong that they would seek IT/InfoSec teams out on their own), can be immeasurably helpful. I absolutely agree with the notion that "more eyes" can help here from a practical point of view.

Of course, just don't go overboard with it. Invite input, bear in mind that all users are stakeholders, but know where the buck stops.
brendonjwilson
50%
50%
brendonjwilson,
User Rank: Apprentice
7/3/2017 | 2:00:45 PM
What about IT Central Station?
Totally agree with the article on the need. Bootstrapping a new two-sided marketplace for sharing information can be a hard problem to solve in a scalable fashion.

I did come across IT Central Station two years ago, but the information on the site was pretty thin on the ground, as was the catalog of products covered. I'm not sure if it's gotten better.

Anyone have any experience with IT Central Station?
josh@idrra.com
50%
50%
[email protected],
User Rank: Apprentice
6/30/2017 | 12:05:56 PM
Re: Crowdsourcing and Open Sourcing Security
Thank you, Christian, great comment.  Very much appreciate your thoughts on this.  I have some ideas here -- please feel free to reach out to me privately, and I'd be happy to discuss further.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/30/2017 | 11:55:59 AM
Crowdsourcing and Open Sourcing Security
You don't have to convince me.  Coming from the FOSS (Free and Open Source Software) world, I'm all about open and accessible metrics, code transparency, peer collaboration and "show me the code" clarity.  But in drawing that comparison I can say right away that there will be huge hurdles.  It took a long time for FOSS to be ubiquitous to where the average computer user knew what GNU/Linux was, or could name more than one of the top 10 popular FOSS languages.  As another DR reader noted, PGP has been around a long time, and we FOSSers have been doing "security" for decades.  But that's us.  The practice of secure coding and global collaborative development has been fairly steady and flat out works.

It would be nice to see a stab at the solutions, though.  You nailed the reasons why we aren't there yet when it comes to security for the average user as developed, support and delivered by the "megacorps", let alone Enterprise security.  Could the answer be somewhere in the FOSS story, I wonder?

 

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...
CVE-2020-15504
PUBLISHED: 2020-07-10
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other version...
CVE-2020-8190
PUBLISHED: 2020-07-10
Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.
CVE-2020-8191
PUBLISHED: 2020-07-10
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).