At what is touted to be one of the biggest security conferences of the year, Amit Yoran, President of RSA (the security division of EMC), dropped a bomb to over 30,000 cyber industry executives, saying that cyber security has essentially... failed.
Delivering the opening keynote for RSA Conference USA 2015, Yoran described the current cyber security landscape as the "Dark Ages", adding that 2014 was the year of the mega breaches.
"The sophisticated barbarians are already inside the gates," he said. "Not only are they inside the gates, but they've raided the liquor cabinet, and are walking out with anything that hasn't been bolted down. Even organisations that invest massive amounts of money in protecting themselves are continuously being compromised."
Yoran also drove the idea that the security industry is promoting a defensive strategy that aligns with the Dark Ages mindset, whereby companies employ security strategies and solutions that no longer map to the business and threat environment we face.
"The terrain has changed but we are still clinging to our old maps. It's time to realise that things are different. The strategies and systems upon which the security profession has been replying don't produce the result we expect," he said.
He argues that the industry continues to seek a technology solution to what is fundamentally a problem of strategic approach; that an iterative approach to improving our defensive strategy is incapable of beating threat actors who are able to evolve their tactics far faster than we can build new walls.
He concluded that many of the technologies exist to provide true visibility, proper threat intelligence and systems that help manage digital and business risk. "This is not a technology problem," he said. "This is a mindset problem. The world has changed and it's not the terrain that's wrong."
APJ companies feel they are better equipped to respond to cyber threats
With the resounding message that cyber security has failed, it is worrying to note that 75 percent of organisations have significant cyber security risk exposure. Additionally, only a quarter feel they have mature security strategies in place.
These are according to RSA's Cybersecurity Poverty Index, which polled over 400 security professionals across 61 countries. This inaugural study seeks to find out the respondents' self-assessment on their security maturity levels. The assessment was created based on the NIST Cybersecurity Framework (NCF), which outlines five key functions: Identify, Protect, Detect, Respond and Recover.
Not surprisingly, the strongest reported maturity levels were in the area of Protection. RSA feels that companies should not overemphasize protection over detection and response, especially since protection and preventative capabilities have proven to be fundamentally incapable of stopping today's advanced cyber threats.