02:00 PM
Ben Johnson
Ben Johnson
Connect Directly

Tax Reform, Cybersecurity-Style

How the security industry can be more effective and efficient by recognizing four hidden "taxes" in the buying and selling process.

In the political world, taxes are an incredibly divisive, contested, and complicated issue. In everyday life, taxes are a staple, the more frequent visitor of Benjamin Franklin's adage that "nothing can be said to be certain, except death and taxes." Regardless of the time or place, if taxes come up in discussion, it's likely to be with a negative tone. That's why we hear recurring calls for tax reform.

The cybersecurity world has its own form of taxes, and it too is in need of a reform. What do I mean by that? Let's dive in.

The Procurement Tax
One would think that having a popular product or addressing a major security gap would result in a quick transaction between a buyer and seller. The reality is that it often takes multiple pitches and discussions just to get to the proof-of-concept stage. Even this is only possible if there's already a project for this type of solution. If not, the cards are stacked in favor of friction, of taxing all those involved such as value-added resellers and others, just to get into a proper evaluation. In this scenario, we might as well call meetings taxation. If you had to go through multiple demos, meetings, and paperwork before you could buy a car or TV, would you still want it?

The Implementation Tax
Let's assume you successfully procure the product or service. From here, the new capability must be deployed in the environment, taxing internal teams. The implementation phase often requires dedicated resources to get new capability to anything comparable to what was pitched during the demo.

The coordination of getting assets, like space on the ESX server or a place to drop hardware, involves a procurement and implementation process of its own. Next companies must determine who has ownership of the product and empower that team to ramp quickly, which often equates to training. This means less time is spent defending and more time is spent on forming new processes. And finally, in the modern security tech stack, if you're not integrating, automating, and orchestrating your capabilities across the existing technologies, you're playing from behind.

If you're a vendor, think about how much time it takes to close the sale, and then understand that it is after the purchase order is issued when most of the actual work for your buyer begins. Vendors would do well to think about how to reduce as much of the implementation tax as possible.

The Care-and-Feeding Tax
When the new capability is procured and implemented, are we good? Did we pay the rhetorical sales tax and are now in the clear? Sadly, no.

One of the top challenges in cybersecurity today is the shortage of skilled professionals. There simply aren't enough qualified individuals sitting in the right seats who are able to maintain the products monitoring their environments. According to a report made by Gartner last year, by 2022, there will be 1.8 million unfilled positions in cybersecurity, which means many fewer human resources are available for the care and feeding that these products require.  

The second challenge is what I like to call the deploy-and-decay problem. Deploy and decay indicates that technology and capabilities actually become worse over time rather than improve. Security requires proper, consistent care — like brushing your teeth every day — except that with large teams, cyber hygiene involves changing toothbrushes, more and different teeth, and bureaucracy.

Vendors need to understand that there are almost exclusively two kinds of users of their technology: those who do not live and breathe security, and those who do but have no time. So the actual human expertise being thrown at the products is often low, simply due to minimal experience or minimal time. And yet products continue to require a tremendous amount of care and feeding — tuning rules, playbooks, and policies. The environment is shifting and dynamic, and so are the attackers, so therefore if the landscape and the adversaries are both in motion, the defensive capabilities also need to be. This taxes the security team tremendously.

The Consulting Service Tax
If you outsource or largely leverage services, you might be thinking that the tax analogy doesn't apply. But let's say you use a managed security service provider that rarely talks to you and tries to take as much of the burden as possible. The tax there is a lack of understanding and a lack of context, so how effective is that service really? Or, if there are lots of interactions between the outsourced team and your team, then you're both paying for the service and paying in time to educate that service. So there's still a large tax to keep defenses up to par.

Now the Good News
First, like most challenges, there must be general awareness. The security industry seems to be waking up. As companies move through the process of acquiring new security capabilities, awareness will grow. It's the responsibility for customers and vendors to work together to reform the process and reduce taxes, particularly when we face challenges such as skill shortages and evolving threats.  

Secondly, some trends are inherently reducing taxes. Software-as-a-service (SaaS) products provide an easier, faster procurement and implementation process. The taxes around care and feeding go down because with cloud back ends, the vendors gain visibility into how the solutions are performing, which allows for faster feedback loops and further refinement. Maintenance pain points such as patching and performing other system administration on self-hosted solutions also are greatly reduced with a SaaS approach.

Thirdly, with cloud-based back ends and data sets, it's often easier to share information, either inside a particular vendor across its customer base or between organizations that want to utilize the collective expertise to improve threat intelligence. So there's more collaboration in less time, which should be a net positive.

Finally, we need to grasp advancements in machine intelligence and automation to help make a dent in the tuning process. By observing events within a particular solution and understanding how humans interact with them, tools should adapt to optimize the human-machine interactions. Teams can become more effective through self-optimizing technology.

We used to have a saying that each attack should make the entire community stronger — does each interaction with a product make it stronger? We can hope. And we can act. By recognizing the hidden costs of cybersecurity, we can begin the work toward reclaiming time and money. The burden is on all of us to come together to improve, so let's make 2018 a year where cybersecurity tax reform starts to take hold.

Related Content:


Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's chief security strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/20/2018
City of Atlanta Hit with Ransomware Attack
Dark Reading Staff 3/23/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.