Is the security industry getting better?
This question was posed by Joshua Corman, director of security intelligence at Akamai, during his address at RSA Europe in Amsterdam yesterday. According to Corman, the answer is no.
"Our dependence on IT is growing faster than our ability to protect it."
During his presentation, Corman outlined his security priority pyramid, which he created based on how one would be expected to respond in the event of a zombie apocalypse.
Much like Maslow's Hierarchy of Needs, the elements at the bottom of the pyramid have the largest impact on your ability to defend yourself, while the elements at the top have the least impact, he explained.
Starting from the bottom of the pyramid, Corman noted that if you were being chased by the undead, you would choose to hide somewhere secure rather than in an indefensible location. "Often the IT choices we make preordain us to failure. No amount of heroism, staff or money can protect you if you have an infrastructure you cannot defend," he said, adding that creating an infrastructure you are better able to defend will dramatically improve your ability to protect your organisation.
The next level of the pyramid is IT operational excellence, which is not so much about the security you buy than about how well you reduce the operational entropy and chaos in your environment. In the event of a zombie apocalypse, those who survive are the ones who steer clear of the chaos, he said.
Situational awareness, the third level of the pyramid, involves improving your organisation's visibility and being conscious of what is happening around you, as one would do should zombies ever rise from their graves and roam the Earth in search of human brains, noted Corman.
"Countermeasures are at the very top of the pyramid and have the least impact on our ability to defend ourselves against our adversaries," said Corman, and yet this is where we spend most of our time. "This approach may have made sense in 2003 when we had fewer adversaries and simpler IT, but now it is holding us back."
Even though we know that we need a better defensible infrastructure, we tend to focus on countermeasures, he stressed.
Corman cited DevOps - which is an intersection between development and operations - as an opportunity to shift security priorities. Despite the fact that the development team seeks to cause changes, while the operations team looks to prevent them, he called on the development and the operations teams to align their goals. This allows for more frequent deployments and fewer failures, he said.
This requires both a cultural and attitudinal change, Corman concluded, noting that those who resist the change could find themselves at the mercy of the very adversaries - be they zombies or hackers - they were trying to defend themselves against.