Hardly a day goes by without a major data breach being announced. Thankfully, as US senator Ron Wyden helpfully points out, it’s just “cybersecurity 101” (and his bill criminalizing data breaches) that will save us. Awesome! I’m glad it’s super easy to fix enterprise security because suddenly enterprises won’t need to keep spending hundreds of billions of dollars trying to secure their digital borders. It’s very comforting to know that Senator Wyden has it all figured out (presumably part of his omnibus bill that also remedies climate change, healthcare, and more).
Or maybe, just maybe, the reason for the constant breaches is because enterprise security is really, really hard, and promises to become even harder with the rise of so-called multicloud strategies.
Lock them up!
But first, the numbers. According to Gartner, enterprises will spend roughly $124 billion on information security in 2019. If we take the broader cybersecurity market, enterprises will spend a cumulative $1 trillion on security over five years.
What does this mean on an individual corporate level? It depends, of course, but here’s one data point: J.P. Morgan Chase spent $600 million on cybersecurity in 2018, employing 3,000 security professionals. Not to be outdone, Bank of America CEO Brian Moynihan once declared that the bank had an unlimited cybersecurity budget. Microsoft, for its part, spends over $1 billion each year on cybersecurity.
This isn’t surprising, given that security is the number one CIO spending priority, according to a Credit Suisse survey:
In other words, Senator Wyden can threaten to lock up CEOs for poor security, but it’s hard to argue that enterprises aren’t already taking the threat seriously. No, money doesn’t solve security problems, but it’s a good indication that companies are trying to improve their security profiles.
SEE: 27 ways to reduce insider security threats (free PDF) (TechRepublic)
Making matters worse
Unfortunately, many enterprises are also making other decisions that ostensibly will make them free from vendor lock-in, lower costs, etc. but simultaneously leave them in a more precarious place, security-wise. Derek Martin has written:
[W]ith each new cloud you attempt to onboard and govern, you exponentially increase your risk for a data breach, failure of governance or, at worst, business ending error. I’ve had three customers in the past six month justify their multi-cloud solution governance concerns by stating: “that’s a networking problem and to solve that problem, we’re going to force tunnel all network traffic between all clouds back to on premise.” No. You. Aren’t. In no cloud is it a good idea to force tunnel all traffic back on premise. For starters, ewe, but more specifically, it immediately eliminates major components and valuable services from said cloud because forced tunneling is a red herring and they don’t support it. It is a legacy construct to assume you can govern your data through networking alone….Only just now are data governance tools that can protect data assets across multiple clouds being invented.
That’s right: There is no universal cloud security model. As such, even as enterprises fail to save money and improve agility chasing the multicloud dream, they also complicate an already complicated enterprise security situation. A far better approach would be to work closely with one preferred cloud partner to bolster defenses of that cloud, coupled with any hybrid (on-premises) resources.
SEE: You’ve been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)
None of which is to say that companies are dumb to seek after multicloud gains, or that if they just took Senator Wyden’s class in Cybersecurity 101 all of these data breaches would dissipate. They won’t, because the stakes involved are too high, and the world is too connected. Among other forms of (in)security, Akamai data suggests that there were 3.5 billion login attacks since November 2017.
Good people and good companies are trying to solve the security mess, but it is a mess, and it gets worse with each added system (whether through acquisition of other companies or through introduction of other clouds through strategery). There is no easy answer, and we should stop pretending that there is.