January 15, 2024
The Software Industry Has Failed at Cybersecurity
It’s time for a new, architectural approach to cybersecurity.
If you attend a cybersecurity event like the RSA conference, you’ll see hundreds of vendors that collectively have just one job: to protect our data.
Every day, another new cybersecurity product is launched. From the biggest tech companies to the smallest startups, they are all building products that should do this one job of protecting our data.
As therapists sometimes say when nudging us toward obvious conclusions: how's that working for you?
Let’s start with how much money we are spending on cybersecurity. It's in 10s of billions of dollars – in fact, McKinsey & Company predicts we will soon reach the milestone of spending $1.5-2 trillion annually on cybersecurity.
This might be a dream come true for most cybersecurity vendors, but for their customers, it’s a nightmare.
So, what's going on here? Why do we keep hearing about data breaches and ransomware attacks every day while spending on cybersecurity keeps increasing exponentially?
In this post, I’ll explore these questions and discuss how a new, architectural approach to data privacy and security can help.
Is the Cybersecurity Fox Guarding the Software Hen House?
One of the unique things about the cybersecurity industry is that it is an extension of the broader software industry.
One company builds email software, and another builds email cybersecurity software. One company builds a router, and then another builds a firewall. Sometimes, the email vendor is also selling email security, and the router vendor is also selling the firewall to protect that router.
And, these companies make 10s of billions of dollars with this approach.
A Conflict of Interest?
We should ask: Does the current state of cybersecurity create a conflict of interest?
Imagine if your top local home builder also ran a privately funded (and very profitable) fire department. And then imagine that the homes they built kept catching fire in increasing numbers, year after year.
There’s a parallel between this hypothetical situation and what we’re seeing from software vendors who also sell cybersecurity products.
What's the Answer to This Conundrum?
We should expect more from the software industry.
Just like we started expecting more from the auto industry after Ralph Nader published “Unsafe at Any Speed”. His book revealed the safety issues with the Chevrolet Corvair and marked the beginning of stronger auto safety standards. Similarly, the ongoing, near-daily reports of data breaches have revealed the safety issues with today’s software.
Nobody wants an email product that is so horribly designed that they need to go out and buy an email security product; or a router that needs a router security product. Just like nobody wants a car that needs to have a roll cage and new seat belts installed to be safe to drive.
As consumers and businesspeople, we want safe and secure products. And that means they need to be built right, so they don’t need a retrofit. How can we do this? With an approach that prioritizes security and privacy by design – and engineering.
Many governments, led by the United States Cybersecurity and Infrastructure Security Agency (CISA) and joined by similar agencies in Australia, Canada, the UK, Germany, Netherlands, and New Zealand, have come together to plead with the software industry to ship products that include security-by-default and security-by-design, resulting in a set of detailed recommendations.
These core principles are fairly simple:
- Security-by-Default: Basic security features like MFA should be on by default
- Security-by-Design: The complexity of security configuration should not be a customer problem – it’s a design problem
These security recommendations provide a roadmap for creating secure software products.
A similar roadmap is needed for data privacy.
What if Everyone Shipped Products with Security Built-In?
I started Skyflow because of what I saw over two decades in the software industry working at leading companies like Oracle and Salesforce. These two companies today make over $80B in annual revenues.
While at those companies, I repeatedly saw customers struggling to figure out how to deploy enterprise software products securely, how to configure them, and searching for guidance on what the right default configurations should be.
In response to issues like these, pioneers like Todd McKinnon created Okta to build an identity platform the right way, and offer it as a service. Similarly, Matthew Prince built Cloudflare into a provider of secure-by-default CDN, cloud cybersecurity, DDoS mitigation, and domain registration services. Both of these founders saw the importance of creating companies that don’t treat security as an afterthought.
At Skyflow, we’re doing our part by tackling the problem of helping companies manage sensitive personal data such as customer PII. By taking an approach of security-by-design, we built a data privacy vault delivered as a service. Now, an article published by IEEE is calling the data privacy vault architectural pattern the “future architecture of privacy engineering.”
Our goal is to replace an entire category of products that are sold today under the guise of helping companies protect customer data. Companies can simply use a data privacy vault to store their sensitive data, separate from non-sensitive data.
A data privacy vault can take care of everything else – security, privacy, governance, and even data localization.
I expect the market to continue responding to these pressures. If this approach to cybersecurity works for identity and data privacy, why not for other challenges? Why not build all products to be secure-by-design, and secure-by-default?
What else could we build with the money we’d save?