The information security field is economically inefficient. This is both good and bad. Bad, because it means billions of pounds are squandered on solutions which offer their buyers sub-optimal returns. Good, because the opportunities exist to operate more efficiently providing more profit for organisations.
The primary cause of economic inefficiency is the misallocation of resources. To understand how the information security sector has traditionally mishandled resources, we must examine how the industry develops solutions. Antivirus software and other security solutions evolve by crafting responses to new threats. Each new solution adds a layer of protection to the last.
While this method of responding to threats is completely understandable, it is not particularly efficient. Every layer of protection may require additional resources. Following a pattern of erecting new defences to address emerging threats ultimately leaves security solutions top heavy and demanding on resources.
The end result is predictable inefficiency. Every minute dedicated to learning new systems, every clock cycle spent processing additional security data, is one diverted away from the core business. Multiple layers of new protections built upon legacy solutions introduce control frictions into the environment. This directly impacts productivity, which results in inefficiency.
Businesses should make sure their security provider’s goals are aligned with their own. Are the people selling business security solutions concerned with the overall efficiency of the company? Or are the vendors pushing inefficient, multi-layered, patchwork products that function under the assumption that some breaches are inevitable? The reactive nature of legacy AV protection has led to a proliferation of inefficient, ineffective, solutions. Today’s businesses require lightweight, proactive solutions that focus on preventing breaches instead of responding to them.
To further illustrate the point: the old model of information security offers to sell your business fire engines, hoses, hydrants, and ladders in the event of an arson. A company aligned with your business would offer a more proactive, less resource-heavy solution. They might build your business from fire-retardant materials, in a safe neighbourhood, and install monitors to ensure no arsonist enters the premises undetected.
Trust derives from two foundational traits: competence and character. Competence engenders trust by demonstrating capability and delivering results. Character earns trust by displaying positive intent and integrity. The public trusts information security companies to protect them from malware. This is clear by the positive market reaction AV companies enjoy during outbreaks of global malware. It is not clear that this trust is deserved.
It is difficult to claim the information security industry has demonstrated increased competence over time. Every year seems to bring more serious security compromises than the last. In response, people throw more money at the very industry which failed to protect them. This may be followed by the AV companies offering a slew of new products or services. These after-the-fact solutions may cost more money and add more control friction to the IT environment.
The reactive nature of information security has led to the creation of multi-layered, inefficient, and ineffective solutions. Security providers have embraced a philosophy of inevitable data breaches which fosters a culture of mediocrity and apathy. Misplaced public trust allows the AV sector to fail while avoiding the downside of standard market forces. Since IT security companies profit from the current situation, they have great incentive and many reasons not to change.
The future of successful information security requires the selection of proactive, preventative, lightweight solutions that align with the buyer’s business mission. They should introduce a minimum amount of control friction into the IT environment, and their goal should be 100% threat prevention, not an endless cycle of erecting new defences over the broken remains of the last.
For the last four years, the information security sector has been charging more for less. Until or unless the market’s understanding of the security industry changes, this trend is likely to continue.