I keep reading articles and blog posts about all sorts of security solutions and how to secure an organization from the onslaught of network attacks. However, all of these discussions seem to assume that everyone is a Fortune 500 company. Threat intelligence, hack backs, APT, etc. are discussed as though everyone has the ability to implement the recommendations presented.
Important statistics that all of us in the security profession need to remember is that the vast majority of organizations are not Fortune 500 organizations. As of 2008 (the latest statistics I could find from the US Census Bureau), there are almost 6 million businesses in the United States. The Fortune 500 therefore comprises 0.0084% of the total businesses in the US. To make matters worse, organizations that employ less than 100 employees make up 98.1644% of all employers in the US. I would guess that these statistics would be relatively consistent around the world.
The reason these statistics are important is that security professionals need to pull their collective heads out of their posteriors and stop making security so hard that it is impossible for the 98.1644% to implement.
Do you now understand the frustration of most business people?
They do not have a security staff of tens or even hundreds to tackle security issues. They are lucky if they have an IT person or two. If they can afford it, they outsource and do everything possible to make themselves secure, but they only can do so much and their resources are extremely limited. Particularly so given the Great Recession that they just survived.
Margins for small businesses are very slim. You can argue all you want that today’s businesses are only competitive if they leverage technology and that technology comes with prerequisites. However, have we created an environment where the hurdle to be in business is now so high that small businesses are just going to be targets regardless?
As a result, I challenge the security community to come up with realistic solutions to security. We need to develop common sense, simple but effective security methods so that the 98.1644% of organizations are reasonably protected. Granted, security is not perfect, but we have got to stop discussing security and privacy as though every business is a Fortune 500. They are not and our solutions and recommendations need to reflect that fact.
This brings me back to the PCI DSS. If all of the requirements of the PCI DSS could be executed 99.9999% of the time every day, would it keep an organization secure (recognizing that security is not perfect)? I believe it would. But it’s that consistency of execution that is the problem regardless of organizational size.
So let us refocus our priorities and help the vast majority of the world get secure.
I have tried to do that with this blog, but I too have been seduced by the big dollars that the Fortune 500 toss my direction. In my very humble opinion, I think we need to get back to our roots and do more for the vast majority that are struggling with security.
That said, in the process of simplifying, maybe there will be some opportunities for the fortune 500 to find solutions that are less complex. It could be a win-win for everyone.