The Cyber-Insecurity Industry?

The Cyber-Insecurity Industry?Cyber-security firms put great effort into supplying new products designed to protect companies and their networks from hackers. Every year we attend conferences where the security industry talks about new threats and innovative protections against them.

But the attacks and exploits continue. No one seems any safer – even security firms have been hit. Just in the last few months we have become all too accustomed to politicized "hactivists" such as the Anonymous group. Meanwhile, garden variety cyber-crime continues, and we hear about millions of compromised accounts. So why isn't the security industry making us secure?

There is plenty of blame to go around. And the security industry itself must shoulder its fair share of it. Cynics have suggested that the security industry is like the diet-products industry: If it really delivered what it promised it would wipe itself out.

Even less cynical observers note systemic problems. Security vendors tell scare stories to draw customers to their particular products. These products may be very good, but they only address part of the range of threats. And the rise of mobile technology and social networks has expanded that range of threats.

But the biggest part of the security problem is that firms keep hoping that major breaches won't happen to them. And hope, as all too often noted, is not a strategy. Firms buy security software packages against old threats, ignoring the reality of new threats. Or they simply avoid spending money on security because it has no easily measured ROI. As one security expert – who declined to be named – observed, companies are less motivated than the cyber-criminals who attack them.

So long as that is the case, cyber-insecurity will remain pervasive.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."