History tells us that there comes a time when almost every new innovative service starts to lose ground to a “good enough” competitor. In fact, many of the products that we buy are much cheaper than the original models, because competitors cut corners to make something that is good enough to fit our needs at a cheaper price. As a director of operations, I can fully appreciate a lower priced option that still fits the needs of my organization.
But good enough, could spell trouble, especially as this mindset creeps into the cyber security industry. If fact, I’d go so far as to say the single greatest cyber threat to organizations today is the “good enough” standard that’s being sold by key players within the cyber security industry.
For example, many vulnerability scanning tools have been developed over the years and have become a crucial part of organization’s every day security posture. These scanning tools provide valuable insight into out-of-date patches and vulnerabilities that have been publicly reported. The problem: most organization’s vulnerabilities are not publicly known. We’re talking about nearly 90%! What does that mean? A vulnerability scan, or a scan based penetration testwill not identify those unknown vulnerabilities. That’s a high price to pay for good enough.
Still, this good enough mentality is easy to justify from a business plan standpoint. For the buyer, a scan-based penetration test or vulnerability scan takes less time and is more cost effective. For the service provider, it’s very hard to get and retain employees who have the skillset required for manual penetration testing, so it’s easier – more cost effective – to just hire less skilled individuals to run automated processes and go through a manual checklist at the end.
I mean, customers don’t know the difference, right? Isn’t this good enough? Many are certainly falling for it, hook line and sinker, and the mindset has started to dominate an industry that should have no tolerance for anything less than second best.
In order to overcome this mindset, customers need to start asking the hard questions and evaluating their cyber security strategy: what exactly am I getting for my money? What is the risk I am facing? Am I settling with “good enough” or doing everything I can to secure my organizations and customers? The security industry needs to evaluate the value they are selling to customers and start asking some hard questions as well: is this really securing my customer? If not, do they understand exactly what they are buying or are you providing them a false sense of security?
At the end of the day, hackers are leveraging the vulnerabilities of not only the organization’s network but also the security industry itself to exploit, gain access, and take whatever it is they are after. Let’s not make it easier for them.