When it comes to security vendors, outright pessimism is supposed to be an unassailable taboo. Things are always bad but never so bad that enterprises or consumers can’t fight back, usually by buying a security product.
Most enterprise security vendors still follow this credo but one that’s recently decided to break ranks in its own way is EMC security division, RSA, whose new president Amit Yoran offered what sounded like a pretty downbeat assessment of security’s prospects at the firm’s recent RSA Conference.
“We [have] shifted from the unrealistic and naive perspective that enterprise networks could be kept pristine and protected at all times, to one which acknowledges today’s reality: and that is that given a modern and complex corporate environment, and an adversary with technical acumen, focus or intent, and enough time, compromises are an inevitable reality.
“The question is not if, it’s when, and how badly. Will this be a nuisance, or will this be catastrophic?,” he expounded in his keynote. He even took a pop at the notion that governments will ride to the rescue.
You don’t normally hear presidents of security companies being this qualified about life although Yoran has a history of bleak realism dating back to his days as the CEO of NetWitness, acquired by RSA in April 2011. Security vendors often talk down defences because that’s part of selling new systems but this seems more fundamental than that. Perhaps we shouldn't be that surprised - It follows up EMC chief Art Coviello unexpectedly pointing the finger at the NSA shenanigans in his feisty 2014 address.
By the time RSA landed in the UK the following week for its follow-up event, the firm’s chief trust offer Dave Martin was offering much the same message: security is broken but do CISOs know this yet?
By interesting coincidence the NetWitness acquisition occurred only weeks after the most traumatic event in the firm’s long history, the infamous 2011 compromise of the firm’s widely-used SecurID token system was badly compromised using, reportedly, nothing more sophisticated than targeted phishing emails. Yoran had picked a prime moment to arrive, just after an incident that continues to define the whole company.
Of course pessimism could be seen as a form of sales pitch, just more in tune with the realities that the customer has become aware of. But it’s not all doom and gloom. RSA has a new way of looking at the world called ‘Intelligence-driven security’ that’s not that different from the visions pushed by many of its rivals.
But I take some heart from RSA’s brave decision to talk about security as it so obviously exists, that is in an imperfect form. The next big movement in security is away from brute defence to response, the ability to survive attacks not simply see them. Detection and remediation will always be partial in an age when nation states now sponsor some of the most dangerous and increasingly destructive cyberattacks. These forces can’t, realistically, be defended against using boxes and software alone and will take a new mentality to survive.
Hitherto, the tech industry has banished the pessimists but they might yet have their moment - and their uses.