For Nir Zuk, founder and CTO of Palo Alto Networks, building the future of information security is part of the day-to-day.
Zuk will be delivering a keynote presentation at the upcoming InfoSec Nashville conference on September 19, 2017, where he plans to delve into the financial side of information security and how the industry can strengthen the defense against cyber attacks.
The 1990s and early 2000s saw large investments in information security, stopping 90 percent of the attacks that occurred at the time, Zuk said. This was followed by a period of even greater investment in the mid-2000s, during which tens of billions of dollars stopped around 10 percent more cyber security issues.
Today, only about 1 percent of those cyber attacks pose a major threat to companies, but it’s unlikely that this last percent will be eliminated, Zuk said.
“What do we do to jump from 99 percent to 99.9 percent elimination of successful attacks? Are we going to invest 10 times more again, meaning are we going to invest hundreds of billions of dollars into a market that is $40 billion a year? Is it even feasible, or should we do something fundamentally different? I think the obvious answer is that we can’t do that,” he said. “We cannot go to that level of investment, and it’s clear that – without that level of investment – we’re not going to move much further than where we are today.”
While investing enough money to bridge the gap may not be feasible, there are other things that the information security industry can do to prevent major cyber attacks.
For instance, because many attacks are financially-driven, increasing the number of attacks a hacker must stage to break through a company’s security also increases the cost to the orchestrator.
“In those cases, it’s not about stopping 100 percent of attacks, which is probably not something we’re going to get to. But it’s about making that attack much more expensive than what you can get out of the attack,” Zuk said.
In addition to directly confronting attacks, Zuk said that finding people to fill open positions in the information security industry could also benefit companies looking to improve their defenses.
“Right now in the U.S. there are over 250,000 open positions for infosec professionals. And it’s just getting worse and worse and worse,” he said. “What do we do? I can come up with the best technology ever, but if my customers don’t have anybody who can use it, then there’s no way for me to protect them.”
While more extensive education about information security would be a partial solution to this problem, Zuk said that what’s really needed is a change in the industry – especially a shift to focus more on technology.
“Given that attacks are automated, it’s not about how many people we have versus how many people they have. It’s how many people are required to deal with our infosec processes versus the capability of the bad guys to utilize automation and keep our infosec teams busy,” he said. “Of course, this is a war you’re not going to win. As long as we’re fighting machines with people, we’re not going to win.”
As a founder of one of the critical companies in cyber security, Zuk is helping lead the industry toward this automation, which he said he is optimistic to see develop over time.
“I think that we’ve been picking the low-hanging fruit for the last 25 years. Yes, we’ve been going higher and higher in the tree, but we’re still very low. And now we to have to start getting to points where we use way more technology and way more specialized technology and different attacks require different sets of technology,” he said.