As a journalist, you know the drill at media briefings. Hosted and paid-for by a vendor, and with speakers from the company - as well as (usually) an end-user or an academic, the idea is to bring journalists together with the experts to discuss the prominent matters in the industry. And if those issues and industry challenges can be resolved with one of the vendor’s solutions then everyone’s a winner.
The vendor gets the business, the press coverage and the thought leadership, while the journalist gets the story, the contacts and the free lunch. The speakers get some media air-time. It’s no surprise then, that these are usually enjoyable, if tame, affairs.
Except, on this occasion, one of the experts wasn’t following the script. Discussing mobile security, a then-consultant and now-CISO went against the grain, revealing how most enterprises could manage their devices in-house with Microsoft’s old - and not very sexy - ActiveSync. He went on to accuse the vendor community of selling ‘snake oil’ and spreading FUD (fear, uncertainty and doubt). “Vendors are part of the problem,” he said.
It was blunt, but it was interesting because it raised some pertinent questions: How much are vendors doing to make the world a safer place - and is it in their interests to do so anyway?
Are security solutions even fit to face the threat?
Almost all vendor offerings in the InfoSec space are built on fear and risk management. After all, if no one was concerned about data loss, why would anyone bother with security software?
Subsequently, millions of consumers and businesses worldwide today buy or download anti-malware tools, often in the assumption that they’ve ticked the box and made themselves secure.
Yet this ‘security’ is never guaranteed, especially in an evolving threat landscape where cybercrime-as-a-service and nation-state hackers are considered a reality. This has led some experts, including some credible if controversial names, to question if today’s security tools - like antivirus, anti-malware and DLP, are fit for purpose.
Speaking to CSO Online this week, McAfee co-founder John McAfee questioned if today’s security solutions are up to the job.
“The vendor community is largely operating under an old, reactive paradigm that no longer works. The old paradigm looks for damaging code, suspicious file transfers and malicious activities that can only be detected after a hacker first "sniffed" the system they were intending to hack. At this point, it is generally too late to avoid damage.
“Few vendors are providing proactive systems that are able to shut down the hacker within a few minutes of the hacker’s first sniff of the network. Very few vendors are addressing the rapidly growing problem of internal hacks.
Sign up for CIO Asia eNewsletters.