Bruce Schneier regards the history of cyber attack and defense as a trilogy. The ’90s, he says, were all about prevention. The ’00s were about detection. And the ’10s are—and will continue to be—about response.
Schneier—author of more than a dozen books on privacy and security, the latest of which is the bestseller Data and Goliath—knows a thing or two about story arcs. But judging from the responses to a survey commissioned by Resilient Systems, the Mass.-based cybersecurity firm where Schneier serves as chief technology officer, distressingly little progress seems to have been made in the last chapter of that attack-and-defense narrative. Businesses are readily admitting that they are not prepared to withstand electronic assaults.
The survey—conducted by the Ponemon Institute, a security research firm, and the results of which were offered exclusively to Fortune—asked more than 600 IT pros in the United States about their organizations’ “cyber resilience.” (Resilient Systems, nice touch.) As the paper defines the phrase: “The capacity of an enterprise to maintain its core purpose and integrity in the face of cyberattacks.” An undeniably squishy concept, to be sure.
Nonetheless, the responses are telling. According to the poll, a mere 25% of respondents rated their organizations as highly resilient. That means on a scale from one (glass bones) to 10 (adamantium), the vast majority of tech leads ranked their organizations at a six or below—a finding that doesn’t inspire much confidence.
“That’s important because regularly, most people rate with a halo effect,” said Larry Ponemon, chairman and founder of the self-named institute, who oversaw the survey. “Organizations will give themselves an ‘A’ when they really deserve a ‘B+’.”
In the face of cyberattacks such as the devastation against Sony Pictures (SNE), the thrashing of Italian spyware firm Hacking Team, and the drubbing of extramarital affairs site Ashley Madison (among countless others), the self-assuredness of security teams seems to be slipping. Two-thirds of respondents rated their organization’s ability to prevent a cyberattack as not high. And an ever greater share—68%—graded their ability to recover from cyberattacks the same.
“Resilience is a weird thing,” Schneier told Fortune in a phone interview earlier this week. “You can’t buy resilience like you can buy a firewall. It’s an emergent property.”
And yet the goal of Resilient—Schneier’s company—is to offer just that. Renamed from “Co3 Systems” earlier this year (questions as to what the former title stood for were met inexplicably with, Oh I’ve forgotten and Now you know why we changed the name), sells subscriptions—priced between about $150,000 to $250,000 per year—to companies for access to its cloud-based crisis management software, which Schneier described as resembling a social network, like Facebook (FB) or LinkedIn (LNKD).
“Basically, they’re an incident response workflow in the cloud for you,” said Rick Holland, an analyst at the research firm Forrester. “They’re coming up pretty quickly relative to their position as a startup that’s 5 years old.”
“We are the missing piece of the puzzle,” Schneier assures Fortune, referring to his company’s mission to address that oft neglected final member of the cyber trinity: Prevention, Detection, and Response.
Indeed, anyone will tell you that traditional preventative measures like anti-virus software ain’t cutting it these days. Breach hysteria has spurred a frenzy of investment activity as cyber security startups race to plug the holes in our cyber defenses. Hundreds of upstarts are offering “next-generation” this and that—higher firewalls, more virulent anti-virus, smarter threat intelligence, more formidable forensics. Resilient is angling for a different slice of the market, one occupied by fewer incumbents, such as RSA’s (EMC) Archer product suite and some open source tools, that manage response processes.
Recently, Resilient added a bit of automation into the mix, too, integrating the product with intelligence feeds that automatically identify attacks and walk incident response teams through the steps to mitigate them. But the tools still require human contact—especially during times of emergency. Schneier, who spoke to Fortune from an airport terminal prior to boarding a flight, said he believes that technology should run the show, until crisis strikes. Then people must lead.
For instance: airport security. “I should probably say this quietly,” said Schneier, who had passed through the TSA’s body scanners and metal detectors not 20 minutes prior, “but if I’m going through security and I made a bomb joke, someone would call the police and that relationship would switch. There would still be lots of technology, but people would be in charge.”
“That’s a fundamental aspect of a resilient system,” he added. “Because people are much more adaptable than technology.”
John Bruce, CEO and co-founder of Resilient, made a point in a conversation with Fortune to draw a distinction between the assurances his company makes versus those of rival cybersecurity companies, calling the latter set “the doghouse”—”where vendors make outlandish claims.” He drew on the authority and reputation of Schneier to lend Resilient’s assertions credence.
“Bruce brokers no B.S.,” Bruce (the CEO) told Fortune, in reference to Schneier, his no-nonsense business partner. Previously, the pair had worked together at the cybersecurity firm Counterpane Internet Security in the early ’00s, before the British telecom giant BT Group (BT) acquired it for more than $20 million in 2006. Bruce served as head of sales and marketing there after leaving Symantec (SYMC). Now, as then, Bruce says of Schneier, “He keeps us very honest.”
What then of Resilient’s technology? Will it not lessen the desperate need for hands on deck when a hack hits the fan? “There’s no magic fairy dust you can buy that will make you perfectly safe,” Schneier said. “Life is risk.”