Cyber Security
Are security vendors leaving your business at risk?
A By Tony Campbell ASM Correspondent
36 | Australian Security Magazine
n issue that I’ve been mulling over for some time relates to the fundamental nature of customer security engagements, especially concerning product vendors and their place as trusted advisors. This issue led me to a couple of conclusions. Firstly, there is a mismatch between what’s best for the client and what’s best for the vendor. And secondly, the security threat environment is so badly defined that vendors could be peddling "snake oil" and customers would still buy their products if it took away their fear. Today’s security industry is almost entirely product focused and driven by fear-mongering. I’ve even seen some of the big consultancies pitching up at client sites with software products dealt as the cure for what ails them. Every week, another new security vendor hits the news, riding on the back of the venture capitalists' love affair with our industry. And with each new product comes a new story of data mining, artificial intelligence and predictive analytics, which is more and more baffling for the poor old customer who needs to make a risk-balanced investment decision to address their
risks. In part, I blame the media. Since the Target attack back in 2013, news channels have focused on sensationalising big data breaches, the cyber heists undertaken by criminals looking to sell personal information on the black market. What the media has successfully managed to do is play right into the hands of the security product vendors, who are more than happy to sell software that can detect and defend against these kinds of remote attack. However, how many organisations, before having a discussion with AntiThreatWare Inc. have undertaken an actual threat assessment? Consider this. Cyber criminals are not the only category of threat actors that want to attack your business. Moreover, threat actors have a variety of different means, motives and intentions, so you need to understand all of those factors to assess the risk accurately. For example, if you run a medical scanning business, your patient data will be at risk from cyber criminals, that’s a given. But you will also be under attack from foreign nation states who might want the patient data for espionage purposes, who will very likely use different