This summer’s historic solar eclipse was an amazing sight that reminded us of the beauty of our solar system, as well as the fact that you should never look directly at the sun. The eclipse also reminded us that without being able to see something, understanding it can be very difficult. Having clear and transparent insight into something is critical — and investments into cybersecurity solutions are no different.
Businesses are investing in cybersecurity in record numbers and for good reason. Effective cybersecurity is essential to protecting critical information and infrastructure from an ever-growing collection of advanced threats, but knowing how to allocate precious capital can be make or break. Unfortunately, a current lack of transparency is cause for great alarm, as it can have far-reaching implications that can damage all parties involved. Unlike with the solar eclipse, having only a partial view through eclipse shades or a pinhole box doesn’t quite cut it.
In the cybersecurity industry, a long period of over-funding and hype has resulted in a highly fragmented, extremely crowded and largely undifferentiated landscape of small-ish vendors — nearly 1,500 in the U.S. alone. In such a crowded market, it can be difficult to find the signal amid the noise of boisterous marketing claims. Given the growing demand for security solutions, suppliers are coming out of the woodwork to cash-in, but unfortunately many offer options that solve one small piece of a problem and force users to manage multiple products that slow down protection against advanced attacks. In addition, a product’s efficacy can be hard to pin down, and many vendors make exaggerated claims shrouded in marketing buzzwords that do little to give buyers a clear picture of the problem being solved for their business.
Once an investment is made, companies need to be vigilant that the product is truly solving their biggest pain points. If the “solution” is so complex that it requires investment in people outside your organization, your product investment might not even be not worth it. Furthermore, because the needs of large and small organizations differ, it can be hard to know which security solution is best for you firm. Unfortunately, in an effort to avoid missing the “right” solution, businesses may be tempted to make multiple investments into a cadre of products, but the integration of overlapping products can create confusion and general implementation failure.
As the CTO of a cybersecurity firm that implements artificial intelligence (AI), I also see a lot of these same issues in the AI space where vendors too-often rely on marketing buzzwords without much substance to back them up. Just like security, AI is increasingly seen as a critical investment. This shouldn’t be too surprising given that AI and related technologies pose the opportunity to radically transform myriad industries and unlock new opportunities buried in mountains of data. But because of this, the intense appetite for AI products is leading to a glut of so-called solutions — many of which aren’t actually that intelligent. As with security, this makes investing in AI all the more difficult. In an overly-hyped industry awash with buzzwords and filled with companies more likely to receive funding just by calling themselves AI, businesses hoping to make smart, worthwhile investments might as well be looking directly into a solar eclipse.
Having said that, these roadblocks are certainly not insurmountable. Setting advanced testing standards would be an important step in codifying what is promised and delivered by various products. Unfortunately, much of the available third-party testing organizations receive compensation for testing, which makes the results inherently biased. Instead, non-pay-to-play organizations like MITRE and the Cyber Independent Testing Lab need to become the norm.
Additionally, independent organizations like Google’s VirusTotal can lead the way with recommendations around improving a transparent testing regimen. As Sean Gallagher wrote in this Ars Technica piece examining issues in AV testing, problems stem from the lack of agreed-upon testing standards.
“Nearly everyone Ars spoke with agreed that many anti-malware tests were flawed, though they would not mention any by name,” Gallagher wrote. “And everyone we spoke to—testers included—agreed that the best tests make an effort to reproduce ‘real-world’ conditions. The problem is that few can agree on what ‘real-world conditions’ actually means—and vendors support definitions that play to their strengths. Independent tests, as a result, often run into flack from vendors.”
Establishing a clearer set of strong “real-world” conditions would be a powerful step toward a more secure future. Currently, some third-party testers’ real-world conditions actually use factory-made malware and don’t reflect the advanced attacks that organizations need to defend against. Some organizations, like MITRE, test against Chinese and Russian advanced persistent threats that have been found in the wild, to measure as close to real-world efficacy as possible. Additionally, instead of focusing on a particular attacker tool, MITRE focuses on the techniques that the attackers employ during a breach. It’s hard to get much more real-world than that.
Without transparency into what security products actually do and what they can stop, businesses are putting themselves, their data, and their people at risk. Cybersecurity is a critically important part of a business and, like AI, it can’t be avoided indefinitely. Thinking about the above issues and asking the right questions can avoid many of these pitfalls and unlock greater security and/or better business decisions and operations.