Cybersecurity stagnation is a big problem, one expert tells IT Brew

Tech’s self-propelled mythology claims that the industry is always evolving, and fast.

But according to Mike Hanley, GitHub’s chief security officer and SVP of engineering, one of the most important components to IT—cybersecurity—has been in a state of stagnation for years. That, in turn, is opening the door to threat actors and adversaries who are always innovating to get malicious code into systems.

In an interview with IT Brew, Hanley made clear that he’s not saying there’s been no innovation in the cybersecurity field, just not enough. There’s been “a focus on shiny objects in the industry versus the basics,” he told IT Brew.

Concerns over cybersecurity stagnation are nothing new. In June 2022, Fortinet Solutions Lead Robert Nobilo penned an analysis lamenting the innovative stalling out around the sector and hoped for a more aggressive “inside-out” approach to system protections.

Some products and technologies have shown promise, but remain far from ubiquitous. Hanley cited a lack of multi-factor authentication—something, as IT Brew reported, that Microsoft users have been slow to adapt—and basic security hygiene as indicative of the broader issues at play.

“We’re still telling many organizations to use MFA or to use or to patch their systems,” Hanley said.

Show me the money. Hanley told IT Brew that “security erosion” is one of the main issues facing cybersecurity teams. While 10 years ago, multi-factor authentication, one time passwords, and the like were effective, today they’re woefully inadequate. And the industry isn’t moving fast enough to cover the skills gap.

To do that will require investment, something that’s long been a problem for IT teams. Companies can be hesitant to invest without seeing a return—by their very nature, successful cybersecurity operations seem invisible—but as a Neustar International Security Council study in December 2022 found, 60% of those surveyed say they fear the rising sophistication of attacks. Without counter investment, a lack of innovation could lead to disaster.

Peter McKay, CEO of developer security company Snyk, has been in the cybersecurity industry for 25 years. He told IT Brew he’s seen the sector ebb and flow over the years between new development paradigms and market shifts, requiring new views on security from larger companies, and innovation from smaller firms looking to compete during challenging times.

“You see the opportunities where new companies have to pop up or new functionality of companies,” McKay said. “Container security wasn’t an issue, and all of a sudden everybody starts using containers. So, I need a solution. And so someone builds that solution in the market.”

Update 06/30/23: This article has been updated to more accurately reflect the company Snyk.