“It’s better than nothing”

These words are the enabler of so many worthless security “solutions”. From phishing testing, to SAST, to “threat intel feeds”, to well, look around the floor of RSA…

Instead of identifying real problems and finding or engineering solutions that fix those problems, “security” continues to bolt on the cheapest “solution”, masking the real problem and kicking it down the road, claiming “it’s better than nothing”.

Unfortunately, it’s really not better than nothing. Every organization has limited, finite resources, no matter how well funded. Wasting time, effort, and money implementing worthless “solutions” because that’s what everyone else does is harmful. Those resources should be spent on identifying and addressing the root cause.

On top of the missed opportunity and wasted resources, making it so your users aren’t sure if they should open that attachment from their supervisor, or burying developers in false positive vulnerabilities is harmful to your business. These are technical problems, they need engineering, not fairy dust and best practices.

The VC driven world of cybersecurity startups drives this glut of worthless security “solutions”. There’s a perverse incentive to bring to market the weakest approach to a problem as quickly as possible. There’s absolutely no incentive to solve hard problems. Instead we get the cheapest possible approach, which doesn’t actually address anything, but kicks the can down the road and shifts blame to someone else.

As a result, we get empty statements like “The human is the weakest link”, which leads to shallow handwavy “solutions” like trying to trick your users with phishing tests instead of saying “Let’s make it impossible for a person being tricked to result in a compromise” - because that’s a harder problem than doing “something” and calling it a day, even if that something is actually harmful.

This is then enabled by security people that don’t actually understand the problem they’re trying to solve. Their view of security is entirely shaped by what vendors are trying to sell them, what their peers are doing, and what Gartner et al says is the best. Gartner and their peers are also just taking what the market is offering (junk) and comparing.

Platform providers are probably in the best position to address the underlying issues. They’re not incentivized in the same way. They’re not (usually) selling security, but security affects their bottom line. That’s why you see real work coming from them on Passkeys, etc. They do have other, sometimes competing incentives though, so it’s not a panacea.

Here’s my advice to security leaders:

  • Before investing in a security product, ask yourself if you really understand the problem you are trying to address. Does this approach really address the issue? For instance, trying to stop phishing attacks against your users? Does TOTP MFA address that?
  • If you find yourself, or someone else, saying “it’s better than nothing”, stop and reevaluate. Is it really better than nothing, or should your available resources be put to use on a real solution?
  • Hire technical people that question the status quo
  • Train your people to be more technical and question the status quo
  • Don’t let vendors tell you what the problem is, they’ll always have a solution to the problem they invented
  • Identify the problem, then go to find a solution
  • Don’t be afraid to build the solution (even though it might not always the the best approach)