Cyber Threats are Constantly Changing and Two Other Platitudes.
David Rhodes
Helping Federal Government Navigate Complex Risk | Enterprise GRC Advocate
With a layman’s opinion.
Let’s address the elephant in the room, as a sales guy, account manager etc. I have been guilty of saying and hearing the following three platitudes more times than I can count.
Last week I swear I saw someone’s eyes glaze over.? No, not the standard blank look people get every so often.? But almost like a reflective film slowly rolling down over their eyes. ??Just seconds before someone mentioned that “cyber security is an ever evolving landscape.”? I instantly wrote it down in my notebook with the word platitude next to it.? Over the last few days I have not stopped thinking about the buzz words and platitudes we use.? I came up with a list of a dozen or so and whittled it down to three that seem to come up in every conversation.? They are as follows;
·?????? Cyber security is an ever evolving landscape.
·?????? Protect the crown jewels.
·?????? It’s a people problem, not a technology problem.
?
Cyber security is an ever evolving landscape.
This is the one that started this thought process.? Mainly because it seems to be the one that sales people use the most.? Especially when they are trying to push a new technology or solution. Often to a problem that their customer does not even know exists let alone they have.? This reminds me of my time at Sonatype. Many customers were adamant that they didn’t have any open source in their software development lifecycle.? That was until they heard about log4j and all the issues that caused.
?
Open source governance and security was a new attack vector. Especially with malicious actions using things like typo swatting and name space confusion attacks.? Fundamentally it is patch management of the component parts of an application.? Something that has existed from the dawn of time, and from a Federal Government perspective since the inception of the Essential 8.? Whilst yes cyber security is an ever changing challenge too often we use this phrase as a crutch.? Fundamentally, the basic principles are still solid and it has been a focus of both the Federal Government and organisations that fall under critical infrastructure.?
?
Protect the crown jewels.
Or the slightly less common protect what matters most.? This is another one of my favourites that could easily turn into a messy drinking game.? Yes, the crown jewels should be protected, but not at the expense of other assets.?
I keep thinking about reputational risk, and how organisations seem to deflect with the phrase: “No customer data (or other high value asset) was compromised.”
This thought lead me to explore does reputational risk even exist in the real world? Optus had one of the most public breaches in the last few years and their crown jewels were compromised.? As of today there has been no material impact on their share price, both in dollar value or compared their competitors.
Conversely, I think about the recent Microsoft breach where Russian state based actors managed to compromise accounts of Senior Executives within Microsoft.? Discussed in the following article:
领英推荐
It mentions that 85% of US Federal Government (and the numbers are similar here) rely on Microsoft’s productivity tools namely Teams.? This article poses a great question about reputational risk, and how an organisation may not view their crown jewels in the same way that an attacker does.
?
It’s a people problem, not a technology problem.
This one is an all time favourites especially from my customers perspective.? It is closely tied in with what feels like every executive’s two favourite words “skills gap”.? I see this one coming in two different flavours;
1.?????? Misconfiguration of technology; Open APIs pointing it production data, easily accessible S3 buckets of civilian data.
2.?????? People are the weakest link; clicking links in email, limited education of cyber security, figuring out ways to bypass the technology in place.
?One challenge within the cyber security space is that it is hard to show a true ROI.? This is because security is often seen at best as a cost centre and often as a form of business prevention.? The question is often how do you measure a non-event?
?
One area in cyber security that does this well is the identity space.? On one hand it is a pretty easy for the end user to understand what is happening.?
More factors of authentication > greater certainty that it is me trying to access > more secure.
However in the same breath SSO also demonstrates user value to staff members. As they are not required to remember 13 different passwords for the 13 different systems.? Not to mention the operational efficiencies of onboarding and off boarding.
Many technologies may offer the same benefits. But at not adopted because they do not articulate these benefits, especially to the end user. ?Technology should be the guard rails to protect the organisation and the users, not the road blocks that impede their work.
?Bonus: Skills Gap
In a different conversation, I asked a cyber security practitioner. How they would address the skills gap. I have summarised their thoughts below:
Cyber security is an ever evolving landscape, and as such there is no “cyber security specialist” every so often you see a role asking someone to wear 6 different hats and do the work of a team.? To protect the crown jewels you need a wide range of skills both in a preventative as well as in a responsive capacity.? It becomes a people problem, not at technology problem as we know that the tools can help but we are spread too thin to learn to utlise them to the best of their capabilities.
?What are some of your (least) favourite platitudes?
Managing Partner, Cybersecurity | CIO | Adjunct Professor | Harvard MPA
1 年Hi David Rhodes, This is one of the best write-ups I have seen. Simple yet powerful statements and I appreciate your observations for everyone to stop and think about seriously. Sometimes, we have to go slow to go fast. ??