No More Snake Oil: Shifting the Information Security Mentality
By Jeremiah Grossman, Interim CEO, WhiteHat Security
When was the last time you made a major purchase without some type of guarantee? Whether that guarantee was for the quality of the product or the comfort of a return policy, chances are good you were probably more inclined to trust the vendor who put their money and reputation behind the product. With this in mind, why is everything in the information security industry sold “as is?”
As someone that’s been in the security industry for years and with the massive uptick in large-scale data breaches, every passing day I find it increasingly odd that security vendors offer no guarantees, no warranties, and no return policies. And even more perplexing, why enterprises put up with the lack of accountability from their security vendors. Electronics, clothing, cars, lawn care equipment, and basically anything you buy on Amazon are all items you could return for a refund if you were less than satisfied. As customers, we wouldn’t swipe our credit cards otherwise. The phrase, “100 percent money-back guarantee” is in our shopping aisles, commercials, and on our minds as we’re looking to make a purchase. Somehow, security vendors have managed to dodge this expectation so far. In my opinion, not for much longer.
On the other hand, I acknowledge that most companies would be quite skeptical of a security company that promised 100 percent protection from today’s threats, and rightly so. If a vendor tells you that “everything can be hacked” or “perfect security is impossible,” while they’re not incorrect in making such statements, they are essentially deflecting accountability. The truth is organizations are spending an incredible amount of money on security companies that can’t guarantee their services. Gartner predicts global IT security spending will reach $76.9 billion in 2015. Further, by 2016 Gartner is expecting a projected expenditure of $83.2 billion.
“The truth is organizations are spending an incredible amount of money on security companies that can’t guarantee their services”
If 100 percent security is impossible, how can we expect security vendors to back up their services? The reality is that nothing is 100 percent secure, just like no product is 100 percent reliable. That said, there is a huge range of companies offering money-back guarantees on anything from a television to a car because they have product performance data to back up those guarantees. It is this actuarial data that remains the grey area for many security vendors and raises the question: how does a security provider accurately determines the performance of his product, especially to the point where he can contractually guarantee it?
In the era of the cloud, plenty of managed services and products are able to constantly update, collect data, and provide the real-time feedback necessary to obtain performance metrics. Organizations are also capable of conducting forensic investigations to pinpoint gaps in the defense or failure of a product. So, the lack of performance data is no longer an acceptable excuse for most vendors to not offer guarantees, unless of course their product doesn’t work well. Regardless, customers want security guarantees!
A recent report by ChangeWave (a subsidiary of 451 Research), entitled ‘Corporate Cloud Computing Trends,’ says the following:
“We also asked about the importance of being offered a ‘security guarantee’ by cloud service providers. Three-quarters of respondents (74 percent) say it’s ‘Very Important’ that cloud providers offer a guarantee, and another 22 percent say ‘Somewhat Important.’ Companies not using cloud place a greater importance on security guarantees than current users. As such, security guarantees give cloud service providers an opportunity to attract new customers.”
With the recent uptick in data breaches and subsequent growth of the security market, customers have a lot of options when it comes to security vendors. Once a CIO or CISO picks a vendor, they then have the unenviable task of justifying the business value and financial impact of the security product or service. Once the security vendor is on board, then begins a business relationship based on trust. There’s a very simple way that security vendors can distinguish themselves from the pack, justify their offerings, and earn the trust of their customers: accountability.
WhiteHat Security is leading this move towards greater accountability in the security market. Last year, we launched a product with a financially-backed security guarantee: if a website covered by Sentinel Elite gets hacked, specifically using a vulnerability we didn’t identify and should have the customer will be refunded in full as well as financial coverage up to $250,000 in damages to the affected company. We’re raising the bar once again and now covering up to $500,000 in damages, in addition to a full product refund.
WhiteHat Security is able to lead the charge with this idea of security guarantees because we have more than a decade’s worth of data from vulnerability scans of tens of thousands of websites, backed and verified by a team of more than 100 application security specialists in the company’s Threat Research Center (TRC). This information, combined with a number of other contributing data points, including shared data from Verizon and other incident response vendors as well as information provided directly from customers on anything from ‘missed’ vulnerabilities, to real breaches—results in a failure rate by WhiteHat Sentinel of less than .01 percent. It’s the data points and industry knowledge that make us confident that it is no longer acceptable for security vendors to sell their solutions “as-is.” Many other security vendors in a similar position can and should do exactly what WhiteHat has.
If a security vendor has enough data and knowledge of their own product’s real-world performance, they should be able to offer financially-backed guarantees. This way customers are able to distinguish between vendors who really believe in what they offer, and the value it provides, from those peddling something closer to snake oil. Guarantees also give the customer both risk reduction and downside protection. Cyber-insurance alone can only offer downside production. In between risk reduction and downside protection is where information security lives and the multi-billion dollar opportunity we as an industry have in front of us. It’s time for the industry to give up the status quo and start leveraging our data. Because if we don’t, we know the insurance companies will do it for us.