Almost 60 years ago Dwight Eisenhower gave his indelible military industrial complex speech. In the speech, he talked about the need “to find essential agreement on issues of great moment, the wise resolution of which will better shape the future.” He also spoke about how we should use our “power in the interest of world peace and betterment,” and that to strive for less would be “unworthy.” He astutely calls out that “good judgement seeks not only balance but progress,” and “the lack of it eventually finds imbalance and frustration.”
As I approach my 17th RSA conference, I reflect back on Eisenhower’s speech and realize more fully what I have witnessed for almost 18 years: the rise of a cyber industrial complex. Seventeen years ago, the RSA conference was attended by several thousand people, had a few hundred sessions, and a few hundred vendors. This year the conference is expected to draw some 45,000 attendees to more than 550 sessions and 700 vendors in addition to all the other unaccounted-for activities and adjacent attendees for ancillary meetings, side conferences, and the multitude of other vendors roaming around without a booth.
But even with the growth of security vendors and the attendant rise in spending that has occurred, we have not as an industry delivered real progress, as evidenced by the continued exponential growth in the cyber risk cycle. Some say this is because we have historically underfunded information security—but while that may be true, it’s only a contributing factor and not the full story.
I came to the conclusion almost 10 years ago that the security industry profits from the insecurity of computing and thus at a macro level has no real economic incentive to solve the problem. I have written on this subject many times, spoken about it at many conferences, and even testified before the senate and the FTC on the financial motivation of the industry as it exists today.
In 2002, in my early days running security at Intel, I drew a diagram called “The Perfect Storm of Risk.” As published in my book, Managing Risk and Information Security, the diagram (figure 1) shows how threats exploit vulnerabilities and the confluence of several other interdependent factors that can fuel this storm of risk. My role has been and always will be to the best of my abilities to understand these factors and properly control for the risks that could affect my organization, my customers, and my shareholders.
Figure 1 - Source: Managing Risk and Information Security 2nd Edition, Malcolm Harkins
Since I first drew this diagram in 2002, I believe we have all witnessed a perfect storm of risk with full force at one time or another—and the storm of risk continues to grow year after year, despite thousands of new security vendors and thousands of new capabilities sold that purport to control for these risks. We have also all witnessed a plethora of public policy discussions around cybersecurity that have called out the national security dangers we face and in some cases state bold initiatives to tackle such problems only to see that no real progress to mitigate the risk has been made.
Why is this? Why haven’t we as an industry made substantive progress on managing the cyber risk cycle?
Perhaps a fundamental reason why progress hasn’t been made is because of the economic incentives of the industry as mentioned above. Eisenhower warned back in 1961 that, “we must guard against the acquisition of unwarranted influence by the military industrial complex,” and that, “the potential disastrous rise of misplaced power exists and will persist.” He warned that “public policy could itself become the captive.” I believe this is manifesting today as the lack of progress resulting from the cyber industrial complex lacking the proper economic incentive to solve the problem.
Looking back on my “Perfect Storm of Risk” model, I must update this timeless diagram with the hidden hand of the industry itself which, “whether sought or unsought,” has contributed to this cycle—first by not being accountable for the controls that failed, then by pursuing a public policy agenda meant to influence legislation in the industry’s favor. This not only protects the industry but promotes compliance regimes that do little good in mitigating the real risks we face as individual citizens and as a society. The industry has taken the notion of defense-in-depth to manage risk and turned it in to a cycle of expense-in-depth that generates economic waste by pervasively focusing on a reaction to risk and adding layers to mitigate failed controls rather than having a control bias to either prevent or stop the cycle of risk as early as possible.
On March 5 at the RSA conference, I will be giving a talk on Expense in Depth. I will describe how our current approaches to information security are economically inefficient. I will explain total cost of controls and offer a new paradigm around managing risk using an economic lens to get us out of the current cyber industrial complex paradigm. I will explain with real-world examples how a paradigm shift in how we approach controls can not only reduce risk but also lower the real long-term economic costs to our organizations.
Eisenhower warned that we must “not fail to comprehend the grave implications of the path we are on as a nation … we must avoid the impulse to live only for today, plundering … the precious resources of tomorrow.” He warned that we cannot “mortgage the material aspects of our grandchildren;” otherwise we risk becoming “the insolvent phantom of tomorrow.”
The RSA conference theme this is year is: Better. For us to get better, CISOs, CSOs, and CPOs need to take control of the industry rather than be controlled by an industry that by and large has failed us and the organizations we serve. We need to take control of the public policy discussions and implement change to nullify the influence of the cyber industrial complex that has arisen over the past few decades.
As a community, we need to force attribution to the control(s) that failed so we can learn from our mistakes. We need to champion transparency to see what approaches and technologies work, which controls create a false sense of security while allowing the risk and spending cycle to continue. If we do this correctly, we can create an incentive for the industry that will accelerate the deployment of controls that reduce cyber risk and reduce the long-term costs to our organizations. This will right the imbalance we have today with the vendors controlling our destiny and reduce the frustration that we all feel with the lack of real progress we have made.
Striving for anything less would be unworthy.