1:00 PM -- Security professionals spend their whole day trying to eliminate vulnerabilities, stop hackers, and lock down sensitive information. What if, one day, they actually succeeded? What if, by some miracle, they created a perfectly secure system?
Yep, that's right. They'd all be out of a job.
It's a harsh reality, but the fact is that every security pro's livelihood indeed, the very growth of the security industry itself depends on the threat increasing, not decreasing. The greater the danger, the more money allocated for security staff, technology, and pay raises. If the danger ever decreases, security will become less important, and those dollars will begin to go away.
This reality became crystal clear to me this week as I attempted to research my story about the cost of IT security incidents. (See How Much Does a Hack Cost?) In the story, I searched for "conventional wisdom" and hard numbers to show what it costs for an enterprise each time it gets hacked.
What I found, however, was an ever-growing pile of "research" (and in some cases, I use the term loosely), often created by security people to help other security people prove that there is a reason for their existence.
Now, don't get me wrong. I'm not saying that there aren't huge security issues in the enterprise, or that hackers and insider threats are all mythical. I know that the threat is very real. A few interviews with companies that have been hacked, or wrecked by a worm, will prove that.
What I am saying, however, is that the security industry itself has a vested interest in making the threat seem as scary as possible. Want to get enterprises to buy security technology? Publish a survey that demonstrates a growing threat in that area. Want to get your CFO to buy off on a large security project? Show him a report that demonstrates a high cost per incident. Vendors and IT people both need big threat numbers to justify their growth.
This concept was reinforced for me recently when I wrote about the 2006 Computer Security Institute (CSI) /FBI study, which suggests that the number of security incidents across the industry has actually decreased in the past year, and that the cost of each security incident has gone down over the past several years. (See CSI/FBI: Violations, Losses Down.) Some people in the industry were downright incensed by that study; they assailed its methodology, criticized its respondents, and pooh-poohed its results.
As I look back on it now, I wonder: Were those IT security people truly concerned about the principles of scientific surveys, or were they just upset that the need for their services was being questioned? A survey that suggests the security threat may be decreasing, even if it's true, doesn't help the cause of anyone in the security industry.
Next time you do a budget, or make a case for a security purchase, or discuss your product's "value proposition," try doing it without finding the biggest threat numbers you can find. It's tough, isn't it? Because as much as we hate hackers, vulnerabilities, and security threats, if we want to grow, we need them to grow, too.
Note: Your responses are invited! But please don't send email post your feedback here on our message board.
Tim Wilson, Site Editor, Dark Reading