Six Myths of Information Security
Myth #1 -- The vendor community does not solve the problems most in need of solving
Origin of this myth
You hear this implicit accusation from many parties (analysts chief among them). A typical example is in Shostack’s and Stewart’s “The New School of Information Security”. A quote that is emblematic of this attitude: “There's an elephant in the room. That elephant is the assumption that the security industry has evolved to solve the problems most in need of solving”. [p.27]
We see things differently
Working at the leading vendor of Data Loss Prevention solutions provides a pretty interesting vantage point on current security tradecraft. We have unique insight on the real terms of treatment of the most sensitive data at some of the largest and highest profile enterprises in the world. We see how this data is used, abused, and placed at risk by well-meaning insiders, hackers, corrupt employees, and broken business processes.
What's really stunning to us from this vantage point is: a) how bad the problem of data exposure really is, and b) why is it that current security trade craft has been so stunningly ineffective at controlling these problems for so long? From where we sit, DLP appears to be upending a lot of the conventional thinking about security; and thank goodness! The rates of abuse and misuse of confidential information are simply off the charts and this problem needs fixing badly.
From our perspective, the data loss problem is the biggest untreated information security threat active in the enterprise today. This problem is now being confronted with technology pioneered in the Data Loss Prevention vendor space. This isn't marketing spin or hyped up salesmanship. Most major enterprises agree: this new category of countermeasures (conceived of and created by vendors) is a top-rated risk that requires attention.