What do firewalls, SIEM, SOAR, and many other cyber security products all have in common? Apart from the obvious answer, that they all protect enterprises against threats one way or the other, I see one common thread. The vast majority of today’s security products are developed and designed as “empty-slate” platforms that need to be built up and configured by you, the user. Almost none of these products have a true ״out of the box״ experience that fits the majority of users. Most of these products require months and months of onboarding, setting-up, tuning, and customizing until they are ready to fulfill their duty in the fight against threats. But the big question is: why do we tolerate this? When you purchase a new smartphone, it works and is fully operational in minutes. True, we are talking about B2B enterprise software and not consumer products, but what is really preventing these products from providing a similar experience? We desperately need a better supportive infrastructure around our security products, to maximize their security coverage and efficacy.
Looking at the numbers
With the IT security consulting market estimated at $20 - $25 billion in 2020, is the current situation all that surprising? Analyzing the financial reports of key cyber security vendors shows that roughly 40% of their revenues are derived from maintenance and professional services, including jump-start services. Clearly, today's security products are way too complex and require significant heavy-lifting before returning on their initial investment.
Why should we care? Security. Security. Security.
Apart from the obvious growing expenses that burden customers, let’s look at the security implications:
- Initial setup - To mitigate risks, customers purchase the best security products they can afford. Significant post-sales efforts are then made to set up and tune the product, as well as educate the IT staff and many employees. This process can take months until it’s completed. Beyond the long duration of this post-sales stage, it is almost impossible to ensure a consistent success rate because of the personnel and technological constraints during the process. It takes a lot of time--during which the company remains vulnerable and less secure--and the actual result hardly ever matches the pre-purchase security goals that were originally set by the customer.
- Ongoing maintenance - The biggest challenge remains the efficacy of these security products over time. Even if we assume that the initial setup was perfectly executed, the effectiveness of the security policies and configurations deteriorates quickly (see related blog). Without continuous maintenance of these products, our security investments have less impact and provide less protection as time goes by. Even with everything originally built correctly and configured for the right use cases and policies, threats evolve over time. Too many systems are neither maintained properly nor updated at the right frequency. Furthermore, often the initial team responsible for the original setup no longer exists, and the ongoing maintenance has been delegated to less qualified staff members.
A reality check for enterprise security software products
Why aren't our security vendors taking the necessary steps towards a simpler ‘out of the box’ experience? Surely the complexity of today’s IT networks is a significant factor in our current situation. Having to accommodate so many components within the IT network - users, products, networks, devices, cloud - and the relationships between them is no trivial matter. As a result, the security products need to craft a generic and flexible infrastructure to meet the many use-cases.
Furthermore, is it possible the vendors have come to rely on the consulting and professional services to a degree in which they cannot imagine a world without them? Could the vendor’s legal departments push back due to the potential liability from a breach associated with their security product deployed in the default “out of the box” configuration?
It is time for a change
In the early 2000s, purchasing a new mobile phone required a week to set up. You had to restore your address book, reconfigure your local service provider settings, and reinstate the basic settings of your previous phone. But in the smartphone era, with cloud backups, this bootstrapping takes less than an hour. Our security vendors should be offering a similar, clear, “out of the box” experience, but doing a reality check on the market’s situation, we should consider a more practical approach. Why not start by having security professionals in the industry share best practices and leverage automation to overcome unnecessary manual processes? Making a move in this critical direction will enable us to invest more in new technologies, as opposed to backward-looking investments in professional services. It will raise the security bar for each company, by making sure that existing security products are always tuned and configured in the best way possible.