It’s easy to see information security as a never-ending stream of attacks. Perhaps the most distressing thing about the year’s outages and breaches is the fact that there is an awful lot happening that IT doesn’t know about. Security experts frequently warn that just because there is no evidence of a breach doesn’t mean there isn’t a breach. That was definitely true at Yahoo: The internet company disclosed two gigantic breaches, but the scariest thing wasn’t the number of victims — it was the fact that they happened years ago and no one even suspected.
“We went years with billions of records being sucked out from right under our noses and we didn’t even know it,” wrote security expert Troy Hunt. He called the current mindset “conscious incompetence,” where we know we have a big problem. That’s a better place to be than the previous stage, where the prevailing attitude was, “It won’t happen to me.”
The big question is knowing where to go next. “How much more are we going to discover over the next year? Or not discover at all?” Hunt asked. If we’re finally getting real about security, and come out of the shadows, we should finally begin to make real progress.
5. We may finally get security promises we can bank on
As consumers, we demand money back when we are not satisfied with a product’s performance or functionality. But IT typically doesn’t get that option with security products. Only 25 percent of U.S. IT security decisionmakers said their primary security vendor is willing to guarantee their product by covering the costs of a breach, including lawsuits and ransoms, according to a recent survey by endpoint security company SentinelOne. But most IT security professionals in the survey said they would like security vendors to offer a guarantee their products would deliver on their promises — and 88 percent claimed they would change providers if a competitor offered such a guarantee.
“The industry has reached a tipping point, where security vendors will need to guarantee that their products will hold up against cyberattacks and assume responsibility if they fail to do so,” said Jeremiah Grossman, chief of security strategy at SentinelOne. “Customers are tired of paying additional fees to address security breaches, especially when they have already paid for security defenses in the first place.”
There are now a handful of companies that offer security guarantees. SentinelOne’s guarantee covers $1,000 per endpoint, or $1 million per company payout, in the event of a successful ransomware infection after installing SentinelOne’s Endpoint Protection Platform. Cymmetria covers the costs incurred in notifying victims, hiring attorneys, bringing in digital forensics investigators, and repairing the damage in case of an advanced persistent threat gaining unauthorized access, moving laterally through the network, and stealing protected information from compromised systems in organizations that have deployed Cymmetria’s MazeRunner cyber-deception platform. Trusona and WhiteHat Security also have similar product guarantees.
Sign up for Computerworld eNewsletters.