As we move through the first half of 2017 we begin to look to the future – security organizations are planning their end of year programs and 2018 budgets, and responsible security leaders are searching for ways to further strengthen their protection. They quickly realize that deciding what to do isn’t easy. Ours is an industry where, while “There is no silver bullet” is chanted like a mantra, competing vendors actually spend more of their marketing dollars describing the insufficiency of existing solutions than they do explaining the added value that their new advancements bring. It’s no wonder that buyers feel confused and misled.
Looking at IT security spending for 2016, Gartner reported a 7.9% increase over 2015, to $81.6B. That is good to see, as the ID Theft Resource Center reported a 40% increase in Data Breaches in 2016, and IBM reported a whopping 6,000% increase in ransomware. As companies look to apply those extra dollars, they need to be able to figure out how to improve what they have today without feeling like they have to rip out what they’re already using. The industry as a whole, both vendors and businesses, will benefit most dramatically if those vendors honestly describe their own merits without aggressively devaluing existing solutions and competitors.
An Unprofitable Equilibrium
There is a tool used in economics that describes this situation well. It’s called Nash Equilibrium. The concept is that in certain systems, when every competitor makes decisions with only their own best interests in mind, the system ends up with a suboptimal result. We see this in security all the time. New entrants into markets look for ways in which they can stake out unique value, but they do it through broad attacks against incumbents. A weakness in one facet of protection becomes a reason to completely switch and retrain. Not to be outdone, the incumbents respond with questions about stability, breadth, and functionality of the new entrant. The customer? They are left distrustful of all of the vendors, looking for some kind of objective data to help them formulate a reasonable security strategy.
Even this isn’t easy in security, where words have lost their specific meaning, and where testing results are necessarily as subjective as the tests products are put to. As an example, In recent months we have seen security product certification organizations produce conflicting results when they independently measure the relative efficacy of competing security products. What’s a user to do?
This is where that unprofitable Nash equilibrium pops up. Because companies are overstating the weaknesses of their competitors, the easiest thing for organizations to do is “more of the same”. They are made less likely to invest in what is new, and are dissatisfied with what they have, commonly resulting in security strategies that do not advance with new approaches, that are not leveraging the full value of existing purchased tools, and, among organizations which can afford it, redundant protections for the same problems solved in different ways by different vendors. The entire market suffers as new products do not find rapid adoption, existing products are viewed as aging and inefficient, and security teams remain in stasis, immobilized by all the negative messaging.
Security has multiple layers, after all
The breadth of challenges that fall under this heading of “security” already makes improvement difficult, and this destructive competitive messaging makes it more so. The past 10 years are littered with headlines presaging the death of security technologies, including anti-virus and intrusion detection, but like Mark Twain, most of their deaths have been greatly exaggerated.
A better approach is to understand what additional protection these tools can bring. As organizations wrestle with the new threats and increasing risk, most want to address gaps that they know exist, whether in monitoring, prevention, or response. When vendors recommend, instead, that the right move is to completely replace existing suites with their new offers, it begs the question of what new holes will be left behind, and what human costs will be incurred as processes change. Anti-virus suites make a great example, as the most popular versions today are providing a variety of important services, beyond the simple signature-matching and management functionality that was their original value. While those techniques may struggle with modern polymorphic and fileless malware, the platform’s data leakage protection, personal firewalling, website filtering or local encryption may be critical.
Security teams looking to spend their 7.9% increase in budget should take the time to understand where they are most significantly exposed. A simple swap of one technology for another can bring unexpected exposure, either in protection, staff capability, or user satisfaction. In many cases, augmenting the existing protection with additional coverage for the weak spots can be more effective and less disruptive. IT staff continue to manage a solution they understand, processes can remain largely the same, and adoption of the new solution does not upend already strained IT resources. If the new solution does prove to subsume the value and protection of its predecessor, at that time the organization can choose to migrate off of the earlier protection with much lower likelihood of disruption and delays.
Most IT and security teams recognize that security strategies and tooling require consistent review and refreshing. It isn’t necessary for the next wave of security companies to drive the old out of the market to survive.  
;They only need to prove their value in closing the gap that new threats are widening, so that good decisions can be made by good analysts, without having to stare through too much negative smoke.
