“Read my lips: no new taxes!” - President George H. W. Bush
In the political world, taxes are an incredibly divisive, contested, and complicated issue. In everyday life, taxes are a staple, the more frequent visitor of Benjamin Franklin's adage “nothing can be said to be certain, except death and taxes.” Regardless of the time or place, if taxes come up in discussion it's likely to be with a negative tone. That's why we hear recurring calls for tax reform.
The cybersecurity world has its own form of taxes, and it too is in need of a reform. Security teams today face heavy demands. New initiatives usually sound enticing but often create more work than expected. What are we talking about? Let's dive in and see.
The Procurement Tax
First-time entrepreneurs often don't understand the true cost of what they are offering. In fact, even seasoned entrepreneurs and large companies may overlook these hidden charges. The monetary value of purchasing a license is only a portion of the equation, with several aspects of the buying process costing the security team and the organization time and energy.
One would think that having a popular product or addressing a major gap that a security team has would result in a quick transaction. Reality, however, is that it often takes multiple pitches and meetings just to get to the proof-of-concept stage. And yet this is only possible if there's already a project for this type of solution. Already the cards are stacked in favor of friction, of taxing all those involved just to get into a proper evaluation. With multiple layers, such as value-added-resellers and others, there are more humans and steps involved, and that also likely means more meetings. We might as well call meetings taxation in this scenario.
Imagine if you had to go through multiple demos, meetings, and paperwork before you could pay your electricity bill? Or even something more positive sounding, like buying a car or TV? Would you still want it?
The Implementation Tax
Let's assume you successfully procure the product or service. From here, the new capability must be deployed in the environment thus taxing internal teams. The implementation phase often requires dedicated resources to get this new capability to anything comparable to what was pitched during the demo.
The coordination of getting assets, like space on the ESX server or a place to drop hardware involves a procurement and implementation process of its own. Next companies must determine who has ownership of the product and empower that team to ramp quickly, which often equates to training. This means less time is spent defending and more time is spent on forming new processes. And finally, in the modern security tech stack, if you're not integrating, automating, and orchestrating your capabilities across the existing technologies, you're playing from behind.
If you're a vendor, remember this -- think about how much time it takes to close the sale, and then understand that after the purchase order is issued is when most of the actual work for your buyer begins. Vendors would do well to think about how to reduce as much of the implementation tax as possible.
The Care-and-Feeding Tax
When the new capability is procured and implemented, are we good? Did we pay the figurative sales tax and now we are in the clear? Sadly, no.
One of the top challenges in cybersecurity today is the shortage of skilled professionals. There simply aren't enough qualified individuals sitting in the right seats who are able to maintain the products monitoring their environments. According to a report made by Gartner earlier this year, “By 2022, there will be 1.8 million unfilled positions” in cybersecurity, which means less time and energy spent on the care and feeding these products require.
The second challenge is what we like to call the deploy-and-decay problem. Deploy and decay indicates that technology and capabilities actually become worse over time rather than improve. Security requires proper, consistent care. Similar to the idea that in order to prevent cavities you must brush your teeth everyday and go to the dentist, except with large teams involved there are changing toothbrushes, different teeth, and bureaucracy. That really doesn't sound fun.
Vendors need to understand that there are almost exclusively two kinds of users of their technology: those who do not live and breath security, and those who do but have no time. So the actual human expertise being thrown at the products is often low, simply due to minimal experience or minimal time. And yet products continue to require a tremendous amount of care and feeding -- tuning rules, playbooks, and policies. The environment is shifting and dynamic, and so are the attackers, so therefore if the landscape and the adversaries are both in motion, the defensive capabilities need also to be. This taxes the security team tremendously.
If you outsource or largely leverage services, you might be thinking that this doesn't apply. But there are other taxes there that can be lumped into this bracket. Let's say you use a MSSP who rarely talks to you and tries to take as much of the burden as possible. The tax there is a lack of understanding and lack of context, so how effective is that service really? Or, if there are lots of interactions between the outsourced team and your team, then you're both paying for the service and paying in time to educate that service. So there's still a large tax to keep defenses up to par.
There are plenty of taxes when it comes to cybersecurity. We might call it friction, or cost, but regardless, the steps toward adding capabilities are inherently taxing. The good news is, there is hope.
First, like most challenges, there must be general awareness. The security industry seems to be waking up. As companies move through the process of acquiring new security capabilities, awareness will grow. It's the responsibility for customers and vendors to work together to reform the process and reduce the taxes particularly when we face challenges like skill shortages and evolving threats.
Secondly, some trends are inherently reducing taxes. SaaS (software-as-a-service) products provide an easier, faster procurement and implementation process. The taxes around care and feeding go down because with cloud backends the vendors gain visibility into how the solutions are performing, which allows for faster feedback loops and further refinement. Maintenance pain points like patching and performing other system administration on self-hosted solutions also are greatly reduced with a SaaS approach.
Thirdly, with cloud-based backends and data-sets, it's often easier to share information, either inside a particular vendor across its customer-base, or between organizations that want to utilize the collective expertise to improve threat intelligence. So there's more collaboration in less time, which should be a net positive.
Finally, we need to grasp advancements in machine intelligence and automation to help make a dent in the tuning process. By observing events within a particular solution and understanding how humans interact with them, tools should adapt to optimize the human-machine interactions. It's through self-optimizing technology that teams can become more effective. We used to have a saying that each attack should make the entire community stronger -- does each interaction with a product make it stronger? We can hope.
Moving Forward with Tax Breaks
With more vendors, more options, and more money pouring into cybersecurity, there's an urgent focus on making things improve. It's all about getting into better defensive shape, which takes hard work to see real progress. Each step often requires time and energy, and often that time and energy aren't factored into the cost of a new solution. All involved must have awareness to these taxes if we want to increase our return on investment.
On the vendor side, it's time to truly analyze at the end-to-end experience. To provide a solution you must evaluate the questions; Where can you make it easier on the security practitioners? Where can you reduce the number of calls, meetings, or amount of training required? Can your solution get better at self-diagnosing problems or start doing auto-calibration to be smarter about the environment it is in? Consider building a trial environment for your prospect and using it for the demo. That way he or she can start evaluating immediately after the demo is done.
On the buyer side, it's time to decide if those drawn-out RFP processes still produce the best outcomes. Do those lengthy and often secretive bake-offs truly have positive ROI? As for your interactions with vendors, be more involved. Really explain your problems, gaps, and what needs to be done internally to adopt their solution. No solution is perfect. However, providing deeper insights and constructive feedback while you are evaluating will help determine whether a product is the right investment for your security program.
In order for our cybersecurity taxes to be improved we first must identify them. By understanding they exist and how they might be reduced, we can begin the work toward reclaiming time. The burden is on all of us to come together to improve, so let's make 2018 a year where cybersecurity tax reform starts to take hold.