On coming age of silver bullets

Silver bullet

I keep telling you time and again «there is no silver bullet in Information Security», despite the vendors blatant attempts to claim otherwise.

You cannot buy a box that solves your problems at once. Every tool needs a skilled person to be mastered by. And still we look forward with hope for the best and the victory of reason, while, trying to guess the shape of things to come. There are emerging technologies, deep learning, AIs and stuff that certainly will change everything. Someday. And there are promising startups that already started doing it. But is it really the most important change we expect — right now?

I don't think so. Though most of my colleagues truly enjoy playing with expensive «state of the art» toys, or even making such toys for businesses wealthy enough to afford it or paranoid enough to think they need it regardless of the price and effort, there are things we should do with old tech before we get ready for the new one.

Just two things.

Make current «state of the art» security affordable.

And make it usable.

It applies to many technologies that are around for a long time, but somehow still considered as «luxury» typical business outside of fintech or other members of rich kids club hardly can afford.

Consider enterprise risk management tools, continuous vulnerability management, PIM/PAM, SIEM, DLP, whatever. (Yes, SIEM. Do you think it is a commodity already? I used to think so, until I read a few recent reports about how bad things outside of our ivory tower really are)

By «not affordable» I mean that a tool (a program, system, ..) is either too expensive, or require too much in-house expertise and work time for deployment.

Being «not usable» means not following business's natural workflow and hard to maintain if you do not have dedicated information security staff doing exactly that.

The technology cannot be considered mature until it abandons «developer-friendly» antipatterns in favor of user-oriented heuristics, streamlines typical deployment process to the point it does not require a «product specialist» to assist and finally it integrates well into your existing processes in a way it becomes a tool that helps people doing what they routinely do, not something that needs to be «maintained» and «worked on».

Sounds much like a silver bullet…



Only registered users can comment.