Tens of thousands of security professionals and many hundreds of vendors came together at the massive RSA Conference in San Francisco last week for the largest enterprise cybersecurity confab in the world — and the general consensus was sobering.

Bad actors have had the edge over enterprises – aka the “good guys” – for decades, and the only way to turn things around is to recognize a frightening fact: The way companies have been handling cybersecurity up to this point simply hasn’t been working well enough.

Passwords don’t work. Malware signatures like the ones that traditional antivirus tools use to detect malicious software are woefully inadequate. Firewalls are more porous than ever. Patching software vulnerabilities is a losing proposition. The list is endless.

In other words, something has got to give.

The three dimensions of cybersecurity disruption

A multifaceted set of disruptions are driving cybersecurity risk for enterprises today. “The scope, the breadth, the depth, the sophistication, the diversity of the threat that we face now is like anything we’ve had in our lifetimes,” said Christopher Wray, director of the FBI. “Whether you look at the range of actors, from multinational cybersyndicates to foreign intelligence services to insider threats, hacktivists, you could go on and on.”

Organized crime in countries around the world has gotten into the cybercrime game. And then there are the nation-states – with massively deep pockets and near-unlimited resources to mount what is no less than cyberwar against their adversaries.

And don’t forget the dark web, the massive online bazaar of varied malware, available for a price to all manner of petty and not-so-petty criminals.

Meanwhile, corporate and government attack surfaces have exploded. Everyone carries a smartphone, ripe for the hacking. The “internet of things” brings vulnerabilities to vehicles, smart city infrastructure, video cameras, and even baby monitors – with no end in sight.

To make matters worse, enterprises no longer restrict their personnel to protected office environments. Everyone from executives to the rank-and-file might work anywhere from a living room to a Starbucks halfway around the world.

The third dimension: The sheer multitude and diversity of attack methods is similarly staggering. “If you look at the range of attack methods, whether you’re talking about spear-phishing all the way to ransomware, botnets, DDoS attacks, you could go on and on and on,” Wray added.

For every type of malware that makes the news, tens of thousands go unreported – and they transform themselves all the time, presenting a continually shifting target. No part of the information technology infrastructure is immune, from the boot volumes on flash disks to the memory in virtual cloud instances.

Not only do traditional cybersecurity measures, from firewalls to anti-malware technologies to vulnerability patching regimens fail to stem the flow of attacks, they’re dropping further and further behind.

Is it time to reinvent cybersecurity?

According to the Cybersecurity Framework from the U.S. National Institute of Standards and Technology, cybersecurity breaks down into five functions: identify, protect, detect, respond and recover. Cybersecurity providers have long aligned their offerings to these five functions.

In response, adversaries around the globe have sought to evade or disable each of these functions, putting the efficacy of the Cybersecurity Framework itself into question. Enterprises thus find themselves in a bind: Continue to work with the established cybersecurity companies, even though bad actors have largely figured out how to circumvent their gear, or go against conventional wisdom and take more innovative approaches to securing the organization.

With the broad recognition that earlier generation cybersecurity is falling short, combined with the wealth of innovation on display at RSA, you might think that chief information security officers would be pulling out their checkbooks to buy all the latest gear from the disruptive smaller vendors on display.

Not so fast. CISOs already have plenty of cybersecurity gear in place. They would generally prefer to go to their current providers in order to obtain innovative capabilities rather than add a dozen startups to their shopping list. After all, cybersecurity must be comprehensive to be effective, and installing a plethora of point products – no matter how innovative each is separately – may lead to vulnerabilities at the gaps between them.

How, then, should organizations make cybersecurity investment decisions?

Balancing the risks

The choice, of course, always boils down to risk. What is the risk of sticking with established cybersecurity vendors with track records, given the fact that bad actors continue to capitalize on their weaknesses?

Or consider the alternative: What is the risk of implementing the next-generation cybersecurity technologies and approaches that the smaller vendors at RSA bring to the table, given that these companies are generally young and small, with no track record or guarantees they’ll still be in business a decade from now?

For the adversaries, it boils down to a numbers game. Just as a burglar will select the house with no alarm and a pile of newspapers out front, the cybercriminal prefers the easier target.

Cybersecurity doesn’t have to be perfect. It just has to be good enough to convince the bad guys to perpetrate their crimes against someone else. Which, then, is the equivalent of that telltale pile of newspapers on the lawn: traditional cybersecurity technologies, or the raft of newer, more innovative gear?

For most large organizations, the answer will be some combination of these options – but no matter how you cut it, innovative technologies should be part of the mix.

It’s not time to play politics, or to skimp on the cybersecurity budget. The battle against cybercrime just might be won, but only if the good guys take advantage of any innovation that might give them an edge.

Jason Bloomberg, a leading IT industry analyst, author, keynote speaker and globally recognized expert on multiple disruptive trends in enterprise technology and digital transformation, is founder and president of agile digital transformation analyst firm Intellyx. The firm publishes the biweekly Cortex newsletter, advises companies on their digital transformation initiatives and helps vendors communicate their agility stories. Bloomberg, who can be followed on Twitter and LinkedIn, is also the author or coauthor of four books, including The Agile Architecture Revolution.

Photo: Robert Hof/SiliconANGLE