By Geoff Bibby, CMO, Zix
As someone who’s spent more than two decades in email and internet security, nearly 18 of which have been spent at the same company, I’ve had a unique and privileged view of how much the space has evolved. Even among the sweeping changes that have occurred, however, there are clear cyclical patterns, meaning that many of the challenges we face today are similar to those we faced in the past.
That’s not to diminish the nature of the changes that have taken place. Security firms which were once able to focus on a single area now have to have a much broader skill set and cover a wide spectrum of threats and security management needs and challenges.
A harder sell
I feel the effects of those changes every day. Back when I first started, my day job was educating people on encrypted email and its necessity. Today, my day job is much more involved because you have so many more things that you have to educate people on, there are so many more things you have to get done and it’s so noisy in the market with so many different vendors.
All that additional noise has, in some respects, made security a harder sell than it was two decades ago. Back then, all anyone wanted to do was get online. Many organisations were still relatively new to email and had to be educated on why it wasn’t inherently secure. Nowadays, most people are aware of that fact but have to be continually educated on new threats. It’s also about standing out in a busy market. Ultimately, it’s not so much about educating organisations on the need for security as it is about educating them on what sets you apart as a security provider.
In most instances, you’re also selling to a much larger team. Eighteen years ago, the person in charge of security was a specialist within the IT team. Today, it’s an increasingly large committee that not only involves the IT and security departments, but also legal and compliance. Depending on the size of the team and the size of the purchase, the purchasing decision can sometimes go all the way up to board level.
The tipping point
To my mind, there are two major tipping points that accelerated this change. The first was the Target breach of 2013, which affected 41-million of the retail giant’s customers and ultimately saw it pay out an US$18-million settlement. The breach was a major wake up call not only to Target, but to corporations around the globe. In the aftermath, they started massively boosting their security teams, helping create today’s security ecosystem.
The second major tipping point was less tangible and happened more gradually. About 10 years ago, the language started shifting from believing you could prevent a breach to acknowledging that your organisation will experience a breach at some point and that you need to have a solid response plan in place. At the time it seemed defeatist, but over time it’s become clear that it’s the most sensible approach.
What’s old is new again
Even as the threat landscape has changed dramatically, however, there are some things that look very similar today to the way they did a couple decades ago. Take Microsoft for example. When it first emerged it was focused on building a productivity suite, which was very successful. But then it made a play for building in security natively to its platform. At the time, it simply didn’t have the agility to act as a security vendor in addition to the product work it was already doing. After numerous vulnerabilities were discovered, it took a step back, allowing more space for security vendors to adequately service their customers’ needs.
Now, with around 83% of enterprise users using some form of Office or Office 365 product, Microsoft is again trying to tell users that its built-in security is sufficient. Given that it was discovered in March that 30 000 US organisations were hacked as a result of flaws in the Microsoft Exchange Server, that’s clearly not the case. I’m once again witnessing people have a crisis of trust in the Microsoft brand and reevaluating whether or not they want to place all of their eggs in that one basket.
Turning up the volume
Ultimately, the biggest change over the past two decades has been that the volume has been turned up on every aspect of security. There are different vendors across different categories who all want to talk to the IT team. The language has changed, the amount of money has changed, the number of vendors has changed. The nature of the threats has changed. All of it is amped up compared to where it was.
But with a long view, it’s possible to understand those changes within their historical context and see that sometimes what’s old is new again.