security risk

Guest Post: Solving the Security Risk Puzzle, A Brief History

Don’t have time to read? Start listening to this blog post now:

As a 20+ year security, compliance, and risk veteran, I am surprised that no one has solved the security risk puzzle yet.  Trust me, I’ve tried, and so have others.  But, here we are in 2018, still talking about the same issues with a new slant…

The European Union’s General Data Protection Regulation (GDPR) isn’t really anything new.  We’ve seen similar regulations for Gramm Leach Bliley Act (GLBA), Sarbanes Oxley (SOX), Health Insurance Portability & Accountability Act (HIPAA), and Payment Card Industry (PCI) Data Security Standard (DSS) just to name a few.  Granted, GDPR has more teeth, as it’s the fines that really motivate companies to comply, but it’s just another attempt to fix the core problem: effectively managing security risk.

In this blog, the first of three parts, let’s take a brief look at the history of security risk management, or the lack thereof.

Security vs. Compliance

To secure or to comply; those are two very different questions.  Prior to 1999, we didn’t really ask either question.  Yes, we had security solutions, but most of the spending was by the government and financial institutions.  That started to change after we exited Y2K.  However, the spending was focused on complying with new regulations, not necessarily securing our systems or data.

In the first half of the 2000’s, we see the evolution of the security market to address the technical requirements of these new regulations and the creation of a new market; governance, risk management, and compliance (GRC); to address the process of complying with and reporting on these new regulations.  Innovation and new solutions drive growth for both markets.

But, the second half of the 2000’s saw over a 4x rise in data breaches.  If we’re spending all this money to comply with new regulations, why are we seeing an increase in data breaches?  Connectivity to the Internet, the growth in e-commerce, and the convenience of being online definitely expanded the attack surface, but we also started to realize compliance did not equal security.  Compliance management and security risk management are two different issues.

The Security Risk Gap

As we rolled into the 2010’s, we started to realize there was a gap between the compliance solutions and the security solutions.  Gartner affectionately called this “above the line” and “below the line”.  Compliance solutions were “above the line”, as they were responsible for compliance tracking and reporting.  Security solutions were “below the line”, as they were responsible for securing the environment.  I argued in 2012 that there wasn’t one line, but two lines; creating a much larger gap.  To illustrate, let me walk you through the various attempts to close this gap…

The first attempt came from the GRC vendors.  Since the GRC solutions had to track compliance across management, operational, and technical controls and needed to understand the criticality of business assets, they were in a unique position to truly manage security risks.  The challenge was manually collecting the technical control data across thousands and thousands of assets.  Questionnaires were not an effective solution, so the GRC vendors attempted to integrate the security data directly into their solutions.  This is where we hit the first line – the line of scale.  Since these solutions were built for gathering data manually, they were not designed to store millions, or even billions, of data records.

Realizing this limitation, the security vendors attempted to solve this problem from the bottom up.  After all, they had the security data, or at least a subset of it.  All they needed to do was build some questionnaire capabilities and integrate data across various solutions.  This is where we hit the second line; the line of unity.  Security vendors are really good with their data, but when you try to make everything look like a vulnerability or an event, you lose context.  Plus, security was starting to grow on its own.  Did they really need compliance?

SOAR to the Rescue?

Now we see the emergence of a new Gartner market, Security Operations, Analysis, and Reporting (SOAR).  Guess where it’s positioned?  Yes, in between the security solutions and the GRC solutions.  But, instead of being one market to fill the security risk gap, it’s actually three: Threat and Vulnerability Management (TVM), Security Incident Response (SIR), and Security Orchestration and Automation (SOA).  Who solves the broader security risk problem?  Did we just create the need for yet another new solution to bridge these three new markets?

What’s Next? While SOAR has helped to bridge the gaps between the top line and the bottom line, challenges remain. At least over the next few years, we can expect to see more of the same. More push for integration. More automation of currently manual tasks. From there, big data and artificial intelligence technologies are likely to flex their muscles as the dataset becomes large and complex.

Stay tuned for our next BLOG on State of the Union in Security Risk Management where we will dive into the dynamics that are currently driving technological advancements and future challenges.

About the author:

An information security, compliance, and risk veteran with 20+ years of experience designing and implementing solutions, Matt is the Chief Strategy & Marketing Officer at Layered Insight. Prior to joining Layered Insight, Matt advises various security start-ups and is the former VP of Strategy at Tenable, where he developed long-term strategies for both application and container security, including the acquisition of FlawCheck. Matt is also a co-host on Security Weekly, a weekly video podcast, and has published various blogs and article on security. Matt holds a MS in Computer Engineering from Case Western Reserve University and is a CISSP.