Why (Cyber) Security Is So Hard
“It is the programmer’s job…no wait the system admin…no, no the network engineer…err who is running our security shop again?!?”
Deadlines missed because of “stupid security needs”.
Groans, and lost revenues, as yet another fleeting security product results in yet more business disruption.
Man, security stinks.
The reality is that security is not some evil plan by nerds to take down corporations – rather it is just in the wrong place at the wrong time. Security is also poorly understood, rarely implemented properly and it needs to evolve.
First the Big News – cybersecurity is not “encrypting some data” (which, BTW, precludes almost every “solution” in the IoT space). Rather cybersecurity is the ability to monitor and control how a system behaves. This translates into technical things such as authentications, authorization and, yes, encryption. Security also translates into nonobvious features such as central administration and reporting/system visualization. Cybersecurity, therefore, cannot be construed through the lens of a series of one-off partial solutions for an overall system – rather it needs to be considered through a holistic lens across the entire system.
Proper security, therefore, is a foundational tool upon which systems should be built.
With a basic understanding that security is really a foundational tool, it becomes fairly clear that security really needs to move out of the way. Think about it – people are trying to build into systems the foundational upon which those systems should reside.
You are not asked to break your email into packets and send those packets over the network. Instead, brilliant people in the past realized that all systems needs to be built on ubiquitous communications foundations and moved their technology down and out of the way. You do not see people trying to write code to send packets of data over the wire into their applications – that makes no sense – so why are they trying to add in security?
If you look at all of the reason why security sucks, it is clear that those issues all revolve around a foundational system (security) being forced into the upper levels of IT and business. Companies want to build functionality and not get dragged into the mire of foundation building – especially when the current options force a kluge of disparate technologies throughout an enterprise.
Sure Bear does just this type of work – we move security down and out of the way – but the repercussions of that move were surprising. We had intended this move to enable us to free ourselves of operating system dependencies (it did) but we did not realize the true breadth of this approach until we succeeded in building our initial smart layer.
What we discovered was an amazing ability to effortlessly change and adapt to new attacks, gain incredibly-detailed views into systems and scale at massive scales – all with no business disruptions and all without really caring what is running on top of us. We discovered that cloud services, IoT devices, mobile apps – it really did not matter. We even run under modern options such as VPNs with no impact and over every medium we have discovered – WiFi, Bluetooth, OTA, RF and even microwave. It is almost as if the current Internet architecture was waiting for a system such as ours.
Security is NOT hard – it is a foundation. Things get hard when you try to force foundational efforts into the very systems upon which the foundation should be built. Correcting the fundamental issue and security becomes both easier to accomplish and no longer an obstacle for business success.