One common issue I see is the time it takes to implement.
I was in a conversation with a CISO this month, and his chain of command told him that “2014 is the year for security” when it comes to spend.
That means he is preparing his budgets to be submitted for their FY14 funding as we speak, and he’s doing so based on technologies that they’ve wanted for the past 5 years!
Then, in 2014, when the CISO MIGHT get his funding, he’ll have to go out to alllll the vendors in the space; go through discovery, presentations, and demos. After that, it may take 2-4 months to get the RFP on the street based on all of the preliminary work. Next: another 2-4 weeks for RFP response; and then down-select to a couple vendors for the PoCs & bake off (2-4 months BTW!). Once ALL that is done, Public Sector is normally forced to go out and get 3 bids for each of the technologies they are interested in. There went another 3 weeks!
So now we are down to risking losing funding due to the end of the year coming up!
AND they are evaluating the purchase of a technology that they wanted 7 years ago!
Then we get down to the contract negotiation, award and deployment. Snap! There go another 6-12 months; and the technology probably only get’s deployed at 50% of its potential—if that.
Now, how about are adversaries?
4989 new “opportunities” in 2011.
(4989 new vulnerabilities in the wild; and 8 of them were Zero-Days… slam dunks!)
And guess what…
Our adversaries went right to work immediately using these vulnerabilities and the malware/tool kits at their disposal in efforts to attack all of us.
No 3 bids.
They immediately deployed.
And they darn sure use 110% of the tools’ potentials.
Security Practitioners MUST get ahead. For the CISO/like-position; we have to change status quo, not just challenge it. If a breach of sensitive information occurs, guess who has the responsibility of security information in their title?
We must work with our partners, public and private to know what’s around the corner. We need to be prepared for it. We need to budget for it. We need to prepare our organizations for it.
Lastly, we have to find a way get out of the slow lane on this journey to a more secure environment.