By Yong-Gon Chon | June 19, 2018
I’m joining the Board at RiskRecon because with my 20+ years of experience working in information security, I truly believe their offering solves the failing state that dominates this domain.
To put it bluntly, Einstein defined INSANITY as “doing the same thing over and over again and expecting different results.” Over my long tenure in information security, I have witnessed exactly that: INSANITY. From firewalls to next-gen firewalls to something better than next-gen firewalls; from anti-virus to endpoint protection to endpoint protection with machine learning to AI orchestrated through “frictionless security,” we are doing the same thing over and over again expecting a different result. In some sense things are different—they’re worse. According to the 2011 Verizon Data Breach Investigations Report (DBIR), the cumulative caseload from 2004-2010 spanned over 1,700 breaches. In the 2018 DBIR alone it was 2,200.
So why are we simply evolving existing security solutions like Porsche has evolved the 911? Because it sells! Finding a cure would be akin to curing cancer. Like mortality, breaches are the outcome of the countless exposures of our digital vitality to people, places and things that will harm us. However, unlike in the physical world, the virtual people, places and things that will harm us are faceless, nameless, borderless and emboldened by their invisibility cloaks.
So much of the security world builds features and provides services that are designed to detect, monitor, assess, observe, block, filter and pontificate that invisible threats are real and have, do or will harm you. I have seen more investor capital poured into creating buyer sizzle than cure creation because it’s taken an entire generation to mature government and business views that the Internet is more than just a series of tubes. When was the last time you saw a security product that didn’t have an Agent Scully dashboard tell you “The Truth Is Out There?”
If we are to break this cycle of INSANITY, we must work backwards from the outcomes we want vs. the outcomes we are trying to prevent and avoid. I’ve chosen to join RiskRecon as a Board advisor because RiskRecon does not practice the same INSANITY in third-party risk management that countless others do – sending questionnaires to thousands of vendors and expecting timely, truthful responses to determine a company’s exposure to risk. Instead, the outcomes we are looking for are: 1) ground truth in how third parties behave when entrusted to protect the data and access that’s important to you; 2) timely insight into better vendor management; 3) reducing your blind spots when “the cat’s away.” The truth about actual sources of risk IS out there, but it will only be found through practical, verifiable, technology-based solutions that expose vulnerabilities, which can then be tangibly resolved.