UK Cyber CTO: Vendors Security Failings Are Rampant

The NCSCs Ollie Whitehouse criticizes security vendors for actively working against organizations in their fight against breaches and ransomware.

BLACK HAT EUROPE 2023 – London –
Modern cybersecurity solutions are not good enough to keep up with attackers growing capabilities, allowing threat actors to operate without sufficient ramifications.
Thats according to Ollie Whitehouse, chief technology officer of the UKs National Cyber Security Centre (NCSC). In the
opening keynote
of Black Hat Europe in London today, Whitehouse highlighted a number of challenges and opportunities that the industry faces and should be looking to address.
Among those challenges, Whitehouse named asymmetric threat actors, high levels of technical debt, and a misguided desire for one security solution that solves all problems as top concerns for overall business safety. But Whitehouse — who
joined the NCSC
in September and previously served as CTO of consultancy NCC Group and in research roles for BlackBerry and Symantec — specifically highlighted a number of issues caused by gaps in security vendor products and behavior that work against the goal of a more cyber-secure world.
For instance, he said there is a fundamental challenge around closed ecosystems, especially where there is no option to get access to product telemetry. Whitehouse said this is wonderful for those vendors because they monetize that [threat intelligence] and they create their walled gardens, but not so great for organizations looking to shore up defenses and make informed choices about security priorities.
Additionally, he highlighted security up-charges as the saddest vendor failing. Particularly when it comes to software-as-a-service (SaaS), how deep the security protections are depends on the tier, he pointed out — the more money spent, the more secure it is.
That seems inexcusable in 2023, he said, adding that the extra costs are not sustainable for many businesses.
Whitehouse also said there is an opportunity for greater transparency from vendors, particularly those who sell both on-premises and SaaS products. Many times, a vendor will disclose a vulnerability in an on-premises solution, but not for the SaaS version of a product.
I would suggest that they are not being entirely transparent about whether that [vulnerability] affected their SaaS version and if it was exploited and for how long, he said, adding that its an issue plaguing IT and network infrastructure vendors in general.
There is a set of behaviors here on behalf of SaaS vendors, and others, where they could be more honest, he noted.
And finally, looking ahead, he called for security vendors to pay more attention to attacks against industrial control systems (ICS). The recent spate of attacks on
water treatment plants
in the US, for instance, remind us that there is a problem there, but it is not in our face every day like ransomware. But we really need to be mindful that this is the world we are potentially heading toward.
He added that there is no need to be alarmist about the threats, but advanced threat actors are preparing for these types of attacks, and that is why we need to be ready.
In terms of how to shore up security without being held hostage by individual vendors, Whitehouse highlighted several items of low-hanging basic security fruit he would like to see addressed by organizations. These include securing legacy technology, as we are good at focusing on the new and fancy, as well as forcing better password hygiene, putting focus on asset discovery and inventory, and getting rid of unsupported platforms.
Another item thats easy to focus on is Web security, he noted, adding that we know how to solve cross-site scripting and SQL injection
vulnerabilities
.
And finally, theres the human element. There is a need to make phishing a thing of the past given that multifactor authentication (MFA) and WebAuth can already
solve some
parts of it, he said. While it is clear we legitimately have a long way to go in this challenge, what tools are available should be deployed, along with focusing on user awareness.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
UK Cyber CTO: Vendors Security Failings Are Rampant