Today’s information security regulatory standards are out of date. They need to be updated with more prescriptive guidance. For example, almost all security practitioners know they need updated technologies like malware sandboxing, exploit prevention (memory protection) on desktops, enhanced network traffic visibility, distributed deception platforms, web application firewalls and enhanced SIEM systems that can leverage user behavior and machine learning vs simple correlation to move up against the attackers of today. Why is it that our regulators don’t see (and more quickly respond to) how even compliant organizations are being breached every day? Maybe I’m just on a soapbox, but we need to get real with the attacker. It is my belief that we must push our regulators and contractual obligations like PCI, HIPAA, CIP and other regulations and regulators to evolve to be more relevant to today’s threats.
Today’s threats need new technology approaches to be successful. For example, many organizations I speak to still don’t have adequate headcounts, despite this, they still don’t use technologies that would lower the headcount required. Many of the technologies (especially user behavioral monitoring, machine learning and distributed deception platforms) can and do lower the number of headcounts required to raise detection and prevention.
Does it mean you should reduce staff after getting them? No – but we need to stop this bleeding and do so fast, else the next Dyn-style attacks are going to place our entire economy at risk. We need to ask this question:Will we concede and be like “oh well”? We all know what and how we can improve it – but not doing it and not updating regulations that are sorely needed is akin to throwing up our hands and giving up! Lets not give up! Lets keep our heads high! Realize quickly that what we are doing is failing and move forward to quickly address it!
#end angry rant
Am I being too provocative? Thoughts?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.