The question all security buyers need to learn to ask, and vendors answer

In the last few months I have had the opportunity to talk to a wide range of people in our industry unencumbered by a business card that sets an agenda. I have spoken to vendors, investors, analysts and customers of all types and sizes. In doing so I have seen so many examples of vendors and investors who are almost blindly pivoting to the next bright shinny thing, egged on by analysts who have become swept up in the fervor of creating new cyber security market segments. The resulting turmoil is causing our customers to be left behind asking what they should do.

There is no doubt cyber security is hot. Over the last couple of years, I have had a string of VC and PE firms wanting my help to get them a slice of the pie.  Money has flooded in to fuel what is in effect a war effort happening on commercial terms. Like many modern wars industry is not supplying a centralized army or war office. Instead individual militias who are short on resources and often sound like cavalry officers in World War I. Finding themselves overly exposed as they watch tanks roll by, biplanes overhead and clouds of mustard gas around them. This is a war where the speed of innovation in weapons development is unprecedented and the results massively asymmetric. Every day there are adversaries out there doing the equivalent of an infantryman in the trenches of Flanders creating a tactical nuke complete with delivery system all without all the fuss of 25 years of science, the Manhattan Project or Werner von Braun and Redstone.  Weapons that if they were conventional would only be available to nation states can now be acquired by almost anyone. No wonder so many customers are left confused as to where to turn next in the search for something, anything that will make the world better.

Therein lays the problem. Desperation. When you are injured in battle and the trusted therapy or medication stops working you will look at alternatives even the ones that in other circumstances you would have written off as crazy. Focus also shifts to treating increasingly significant symptoms rather than the underlying condition and that is where I believe we are today. We have a war being fought with unprecedented scale and weapons sophistication creating casualties that are looking anywhere they can to patch their wounds and get them back into the fight. They have plenty to choose from and people prepared to offer almost anything. So how does a CEO, CIO or CISO make the right decisions at this point? Well I believe that there is one question they need to be asking when evaluating a new product or service, and ensuring it gets answered to their satisfaction.

What guarantee can you provide me that what you offer it is going to reduce the number of bad things that happen?

In other words, prove to me that what you offer is actually going to increase my security.

It is that simple. Demand proof and focus on things that stop incidents. That last piece is important. I am not advocating a defense only strategy, that stopped working a long time ago. If you believe you can build an impenetrable wall that will never get breached you are nuts! Just like on the battlefield you should be prepared to treat wounds that have pierced the body armor that protects vital organs or hard to protect ones like the head very differently to a flesh wound in a limb. Finding and getting that bullet or shrapnel that is sitting next to a major artery or organ quickly and efficiently under fire is a priority. Having armor that either stopped it in the first place, made it less lethal or helped you pinpoint the exact location is better.

So, who are the vendors who can answer this question? I am not going to name names but I can tell you what I see them working on.

  • Identity – Enabling you to know someone or something is who or what they say they are.
  • Information – Making it only accessible to those who have a real right to see it.
  • Automation – Less focused on the mundane and more on helping the battlefield troops.
  • Disruption – Of attacks and attackers.
  • Expertise – Providing you with access to mercenaries or helping you develop your militia.

In each of the above I have come across vendors who can put real data behind their claims that I can map directly to better outcomes for their customers. The form of the guarantee may vary. Some offer results based payments, a few are working on insurance backed guarantees, others are just able to show and explain with hard customer data how they have stopped bad things happening by for example identifying bad actors before they act or enabling organization wide encryption.

If more people learn how to ask this question and not be swayed by arguments to address symptoms or generate false propaganda showing how they are winning the war and vendors focus on delivering products and services that stop bad things from happening we will win in the long run.

Leave a Reply

Your email address will not be published. Required fields are marked *