Much of the marketing and narrative for cybersecurity revolves around making unrealistic promises in an attempt to solve grandiose problems. The message from vendors - and the perception of many customers - is that cybersecurity is complex and overwhelming, beset by challenges as organizations try to defend their systems against malcontents wearing black hoodies and sophisticated nation state adversaries. Products and services are positioned as “silver bullet” solutions that will magically fix everything. It’s time for cybersecurity strategy to shift from this mentality and focus on realistic steps that can be taken to improve operations.
The Sky Is Falling
There is a pervasive theme in cybersecurity. If you look at the headlines or the messaging from most cybersecurity vendors, you will no doubt learn that the internet is plagued with malicious exploits and automated attacker-friendly tools. Your networks, servers, applications, and data are all under constant siege from botnets, phishing scams, advanced persistent threats, ransomware, and other cyber attacks.
Cybersecurity experts have been saying for nearly a decade that the perimeter is dead—that the days of the “us vs. them” or “inside vs. outside” mentality are over and the idea that you can be secure if you just build a strong enough wall between your internal network and external attackers no longer holds true. Experts have also claimed for years that it’s not a matter of “if” your network is compromised, but “when”. It’s virtually inevitable that attackers will get past whatever defenses you have in place and infiltrate your systems.
The sky is ostensibly falling and we all need to panic.
Do What You Can
All of that is true to some extent, but it’s also not useful or helpful. People get it.
Instead of sounding the alarm and just trying to scare everyone into feeling like resistance is futile and cybersecurity is pointless, organizations need to have an attitude of, “OK. Now, what can we do about it?”
It’s true that no network is completely impervious to attack. It’s likely your network will be breached—it’s also likely that attackers are inside your network conducting reconnaissance right this minute. It’s fair to think of cybersecurity in those terms—just don’t take it as a sign of futility. Use it as incentive to shift your cybersecurity strategy.
Once upon a time, it seemed like the goal of cybersecurity was to prevent and block all attacks. That goal is impractical. The goal should be to simply raise the bar for cybersecurity. Organizations need to have tools and processes in place that raise the cost of entry and make it more challenging for attackers to gain access in the first place. Organizations also need to be able to quickly detect and respond to suspicious or malicious activity inside the network to reduce dwell time and minimize the impact of a compromise.
Eat the Elephant One Bite at a Time
Organizations are adopting SaaS (software-as-a-service) technologies at a rapid rate. Protection and governance of data is one of the primary challenges facing CIOs and CISOs today. With the demise of the traditional cybersecurity model of guarding the perimeter, security controls are still constantly trying to play catch up with a rapidly evolving threat landscape.
An unintended but perhaps predictable consequence of this transformation is the increasing threat to enterprises as core aspects of their businesses move online. Organizations have to protect complex ecosystems that include dynamic hybrid cloud environments, endpoints, mobile devices, IoT devices, and more. Meanwhile, the attackers adapt new tools and techniques and the threat landscape is constantly expanding and evolving. It’s easy to look at the situation and consider just throwing in the towel.
There is a Chinese proverb that goes, “How do you eat an elephant? One bite at a time.”
Eating an elephant may seem like a daunting—perhaps impossible—task for a human being. You certainly can’t swallow it whole or eat it in one sitting. However, if you just keep taking one bite at a time you will eventually eat the whole thing.
Cybersecurity has a similar challenge. The prevailing messaging makes it seem like there’s no hope. The reality, though, is just because you can’t solve the whole thing doesn’t mean you shouldn’t strive to solve the issues that you can.
The First Few Bites
If you’re struggling to decide where to start, here’s a broad framework for setting up and improving an information security program within an organization:
- Start with what you have: Cybersecurity may have an effectiveness problem, but the answer doesn’t have to be a complete overhaul of your systems everytime. If you conduct a thorough audit of your existing security posture, you’ll doubtless find some things that don’t work, some things that could be better, and some things that actually work well.
- Evaluate gaps and risks: Your audit of current processes should ideally end in finding the ‘true’ gaps and sources of risk for your organization. Don’t take the path of least resistance and zero in on boilerplate security challenges. Be open minded in your evaluation and ‘follow the money’ to the real problems that need solving.
- Prioritize: Parkinson’s law - work expands to fill the time available - is meant as a caution and not as guidance meant to be followed. It’s important to plan for top priorities, assign budgets that acknowledge their severity, and pull the entire organization in a singular direction.
- Partner up: Cybersecurity takes a village and can never be under one party’s purview. Reflect on your gaps in expertise and leverage partnerships wherever possible - whether it’s jointly working with vendors to drive product roadmaps or tapping into open-source communities for TTPs.
It will be challenging. There won’t be a magic “silver bullet” solution that just makes the problem go away. We are all in it together, though. If we ignore the messaging hyperbole and FUD (fear, uncertainty, and doubt), focus on established cybersecurity best practices, and take practical steps to raise the cost of entry for attackers, we can achieve a world with more effective cybersecurity.