Breach Fatigue: Why Security Solution Providers Need To Give Customers A Wake-Up Call
Target. Home Depot. Sony. Anthem. Premera. The Office of Personnel Management. The list goes on and on.
While the continued stream of data breaches helps raise awareness of the security challenges facing businesses today, security experts said the flip side is that the massive influx in recent months is putting customers in danger of "breach fatigue."
The idea behind breach fatigue is similar to the phenomenon seen with nurses, where a high number of alarms on the hospital floor left nurses battling sensory overload and ultimately unintentionally tuning out potentially critical alerts.
Some security experts said they are starting to see this same phenomenon mirrored in the security industry, where almost daily security breach alarms are sounded and customers are starting to roll their eyes and tune out conversations urging them to invest in security to avoid being the "next Target."
In 2014, there were 783 known data breaches, or an average of just more than two a day, according to the Identity Theft Resource Center. That represents a jump of 27.5 percent over the year before. The numbers aren't yet in for 2015, but are likely to be even more drastic than the year before, with mega breaches hitting verticals such as health care and the federal government space so far this year.
"There's been so many breaches that consumers aren't paying attention anymore, but they're getting angry at the same time so they're not protecting themselves -- but they're mad at [security professionals]. That's going to be one of the harder things we'll have to deal with politically," said Kevin McDonald, executive vice president and CISO at Alvaka Networks and president and CISO at Noloki Cyber Defense.
Brett Hansen, executive director of end-user computing software product management and marketing at Dell, said this topic comes up in conversations with multiple customers and partners every week, especially those that are small businesses or in verticals where they don't feel like they will be a target. He said the customers and partners feel overwhelmed by the constant barrage of breach news and feel hopeless against stopping the "bad guys."
"There's a sense of inevitable doom, so rather than taking action they take the ostrich-in-the-sand approach," Hansen said.
Beyond fatigue for bad news, Hansen said he sees customers also becoming weary of the mass of technology being pushed on them to solve their security challenges.
"The challenge that all companies face ... is not just fatigue from all the breaches, it's fatigue from all this technology that they're being inundated with," Hansen said.
For solution providers, the downside of that is that customers are eager to make rash technology decisions based on the latest breach in the news, not based on what they actually need, said Peter Tran, general manager and senior director of RSA's Worldwide Advanced Cyber Defense practice. For example, Tran said he saw a surge of interest and investments around securing point-of-sale systems after the Target breach and a push toward PHI (protected health information) and PII (personally identifiable information) investments after Anthem and Premera.
"That's a dangerous place to be because you're making your purchase decisions reactively based on a lot of noise and trending that is short-lived, whereas you should be looking at key operating areas that are fundamental no matter what technology you use so your technology decisions are predicated on your operating efficiencies, not what is trending and what is in your face," Tran said. "That drives a very short-term investment to a very long-term problem," he continued.
However, customers should prepare themselves for the security long haul, Accenture CTO Paul Daugherty said, as that purchasing cycle is unlikely to end as security demands a continuous investment in what is a very "complex problem."
"One of the lines I hear all of the time is, 'There is no finish line in security,' " Daugherty said. "The real challenge is distinguishing what is enough and what is the right amount."
The danger isn't just for the customers, it's for the partners themselves, Tran said. While customers are growing weary of hearing of near-daily data breaches, security professionals and managed security service providers, with their security monitoring services, also face the human challenge of what Tran called "security amnesia," where they are so inundated with security alerts and noise that they develop blind spots to true indicators of attack.
Hackers actively exploit that human element of security monitoring, he said, launching attacks that last 24, 48 or even 72 hours that push the boundaries of human physical endurance.
"You fall asleep at the wheel, no pun intended, with the car hack. Our thresholds change and that is very dangerous," Tran said. "That's a very dangerous place to be."
That challenge is compounded by a serious shortage of talent in the security industry. Companies that are still on more legacy security solutions end up shorthanded as they battle a growing number of security alerts, said Ron Myers, vice president of worldwide channels at Palo Alto Networks.
"I think if our customers don't think broader than legacy solutions, they tend to throw people at the problem and they're going to find fatigue in that because there are not enough expert resources out there to keep up with the manual discovery and incident response. You have to deal with it on the front end and unless they change their philosophy to protecting the network or the end point of the perimeter, there could be consequences," Myers said.
To nip the challenge in the bud, experts agreed that partners need to change both their sales and their technical approaches to security. For sales, RSA's Tran said that security companies have to step away from the security scare tactics of the past.
"The 'scared straight' conversations are becoming a thing of the past. It's somewhat overused and [customers are] becoming desensitized to that," Tran said. "That hasn't worked for a long time."
Instead, he said that partners should focus on a more consultative approach that steps back and builds a long-term security plan based on the business' needs and critical information, not on fear, uncertainty and doubt.
"It's a very consultative approach, led by looking at the customer specifically around protecting those key high-value areas that, if breached, would take the business to its knees," Tran said. "It becomes a very thoughtful discussion, instead of scaring you into shaping your security program."
Devin Archer, Americas channel director at ForeScout Technologies, agreed, saying that partners have a critical role in helping customers move away from point products to a long-term-solution approach that really understands a customer's environment and needs.
"It starts with having a plan. One of the greatest [benefits] a partner can bring is the methodology, the discussion," Archer said. "There's a great role for the partners today to start the conversations around security ... then creating a methodical approach."
Downers Grove, Ill.-based Sentinel Technologies is one company that has taken such an approach, CTO Robert Keblusek said, launching a co-managed cloud delivered security incident and response program called CloudSelect. Keblusek said he sees this type of long-term security program as a way to build customer loyalty by proving the company's security prowess.
"Even with the best systems in place, though, breaches will occur. I think that the real test of the organization is how they handle a breach. I would say consumers will not change behavior as much knowing that most companies are at risk and you aren't really sure what their level of security is simply as a consumer," Keblusek said.
However, RSA's Tran said that many security providers still have a ways to go to become more solution-generated, rather than procurement-generated. He said he believes government will play a critical role in pushing that transformation along through regulation, but a lot of it is up to the solution providers to make the shift for the benefit of their clients.
"We're not even close to being there yet," Tran said. "There's a big wake-up call coming," he added.
Jimmy Sheridan contributed to this story.
This article originally appeared as an exclusive on the CRN Tech News App for iOS and Windows 8.