Sorry! After my report of Nathan’s Million to One Shot, Doc post, I could not resist titling this post with “Breach Fatigue.”
Sarah Kuranda reports expected lower spending on security with this quote:
Wright said some customers interviewed by Technology Business Research also cited what some are calling “breach fatigue” as a reason behind lower security spending. Year after year of mega breaches have caused massive jumps in reactionary security spending, Wright said companies are now saying, “There’s not much more I can do.” (emphasis added) [Is The Security Spending Party Over?]
“…[M}assive jumps in reactionary security spending…” have benefited the security services/software vendors but not appreciably increased enterprise security. That much is known.
What remains unknown is why companies say:
There’s not much more I can do.
Post this scenario to your nearest business manager/executive:
Assume that all the locks are broken on your new Lexus and it isn’t possible to remove the ignition key:
Here are the options enterprises have followed to protect the Lexus:
- Surround the Lexus with a chain-link fence, with missing sections. (defective security software)
- Surround the Lexus with a chain-link fence, with a gate-lock with the key in it. (defective security software design)
- Staff the gate with personnel who can’t recognized authorized users. (poor security training)
- Purchase broken/insecure solutions to protect a broken/insecure vehicle. (poor strategy)
No doubt, enterprises can continue to throw money at defective software to protect defective software, with continuing mega-breach results.
To that extent, realizing throwing good money after bad is a positive sign. Sort of.
What more enterprises can do: Invest/require secure software. More costly but layering broken software on top of broken software has failed.
Why not try something more plausible?