Want to protect your data and make your enterprise more secure? Invest more in human resources than in technology, think like the bad guys, and redefine success in the war against cybercrime. That's some of the advice shared this week at the RSA Security Conference by Art Gilliland, Hewlett-Packard's senior VP for Software Enterprise Security Products.
Gilliland told some of the 25,000 attendees at the RSA conference in San Francisco's Moscone Center that his company's research shows that too many businesses rely excessively on software and hardware to protect their systems. Meanwhile, they skimp on safe practices by smart managers.
"We are over-invested in product," he said.
Rather than chase "silver bullets," he said, companies must invest in a trifecta of "people, process and technology." Companies that did so have seen 21 percent better returns on their investment and saved an average $4 million more than other companies.
Invest In Compliance
Based on assessments of 96 companies globally, HP found that most spent 86 percent of their security budget trying to block threats at the infiltration stage. Meanwhile, personnel had a minimalistic "check box" approach toward security practices and policies.
"Almost a quarter of the people implementing this strategy failed to meet the minimum security standards they set for themselves," he said. "They are aspiring toward the low bar of compliance. And, 30 percent failed to even meet compliance."
The war against hackers might seem like a lost cause since spending on defensive measures last year went up 20 percent, while damage from cyber criminals increased 30 percent, Gilliland said.
But he countered that the good guys and bad guys are held to different standards.
"There is a structural imbalance in our industry," said Gilliland in his address, which was recorded for viewing on RSA's Web site. "For us to define success, we need to be right every time, we need to be perfect. For the adversary to define success, he only has to be right one time." Give up looking at the war as a zero sum game, he said, because companies block the vast majority of threats.
Understand Your Enemy
Gilliland also said it is important to realize that criminals use the same methods and processes as anyone else to do their work. Only their motivation is different. So it's crucial to understand how their marketplace looks and works.
He detailed the layers of the "attack lifecycle," beginning with those who research and profile networks and systems, then put out feelers to sell that profile to someone else. The next person buys those profiles and uses them "either to understand what kind of toolkits to build or to trick us to break into the network through a bunch of access points," Gilliland said. Those access points can then be mapped and sold to someone else.
In the final step, the hacker accesses information, either to steal or destroy it. He noted that the data security industry spent $46 billion last year to protect itself from the rising level of threats.
Those threats made this year's RSA Conference the biggest in its 21-year history in terms of participants, exhibitors and speakers.
"Data security has been a prevalent theme this year," said John Shier, a security adviser with Sophos, in an e-mail from the conference. "The combination of the NSA revelations [about civilians] and the data breaches has meant that more people are looking for ways to protect their data, regardless of whether it's the supposed 'good guys' or the crooks that are trying to get their hands on it."