Charl van Der Walt

Once effective, IT security is now deteriorating on all fronts

As an industry, IT security has failed to deliver. Once-trusted technologies have been proved vulnerable, and nothing is impenetrable.

This is according to industry experts at the annual ITWeb IT Security Summit, in Sandton. Around 500 delegates attended the annual IT security event.

“There’s an elephant in the room,” said Charl van der Walt" rel=tag>van der Walt, co-founder and MD of SensePost and a member of the Security Summit advisory board. “As an industry, there is a real criticism to be made against us. IT security has failed. We are not delivering on the promises.

“Times have changed,” he said. “Fifteen years ago, all you needed was a lock. But over the past 18 months, the industry has been shaken by high-profi le events that may have proved we don’t have all the answers.”

Eddie Schwartz, RSA Security CSO, echoed this sentiment. “Now, prevention is impossible. If you don’t start thinking differently about security, you will fail,” he said, adding his belief that almost every company has been breached, whether they know it or not.

<a href=

Haroon Meer" />Schwartz said prevention had become inadequate as a security strategy. What is critical now is the human element, he said. “We are moving beyond technology-based security towards intelligence-driven operations.”

New security requires a new approach, covering better big data management and analysis, and a multi-skilled team to deal with threats. Investing in new technologies to lock out adversaries is no longer the answer.

“Focus on your adversary first,” Schwartz said, noting that it is crucial to understand the adversary landscape, the capabilities of adversaries, their motivation and likely targets.

“You also need to understand your mean time to detect threats, and understand that in this time, an attacker has access to your systems,” Schwartz said. He referred to a recent survey, which found most companies took between a week and 60 days to detect threats. This, he pointed out, left between one week and 60 days open for adversaries to explore enterprise systems.

In addition, IT security must be agile, risk-based and contextual, he said. “I think a lot of what companies are doing now has the wrong focus,” said Schwartz.

Haroon Meer, founder of Thinkst Applied Research, added that anti-virus (AV) solutions have not delivered on their promises either. He questioned the relevance of AV solutions in an environment where security breaches continue, in many cases without the targets even being aware of them. AV alone is clearly not a sufficient IT security measure, he said.

Van der Walt concluded: “As an industry, we need to take an honest look at where we are failing and how we need to go about restoring trust.”