Cybersecurity Doesn’t Need New Technologies

We don’t need leading edge AI-powered end-point protection to ward off the next cyberattack. What we need instead is trailing edge hygiene and fundamentals coupled with a solid SIEM/SOC, comprehensive controls and monitored processes. Because until Jack in accounting stops using his personal Yahoo password on your network and learns how to detect a phishing attack, no amount of advanced technology will help you prevent the next breach.

Our approach to information security over the last decade has not changed. We have been buying and installing security tools to automate the detection of exposures in areas like patch management, firewalls, privileged access, data loss, end-points, privacy, application vulnerabilities, ad nauseum, yet these issues persist and remain at the top of the list of information security targets today. We continue to approach the problem in the same way, year after year, expecting somehow that we will achieve a different outcome.

But we never do.

I can’t even remember the most recent breach. They have all become a blur. In fact, it appears that breach fatigue has permeated the public consciousness. A survey called The Consumer Attitudes Toward Data Privacy and Security Survey by Janrain just found that almost half of U.S. consumers surveyed report that they would forgive data breaches and cybersecurity controversies if companies demonstrate good faith in trying to prevent them. Sort of the equivalent of throwing your hands into the air and waving a white flag of surrender. Most people assume that their data is in the hands of the bad guys already and there is nothing they can do about it. Who can blame them?

So, given that we now have CISOs who are generally being held accountable for measurable and sustainable risk reduction, shouldn’t we be focused on the processes and controls surrounding these issues and not just on the technologies and tools?

Shouldn’t we insist that security initiatives be undertaken only when we have confidence that the initiative will actually solve a security issue, sustain the solution and be able to reflect that solution through measurable risk reduction?

And when we start to identify the areas of exposure that we want to address, shouldn’t we try to find the ones where the greatest risk reduction can be achieved compared to the amount of dollars we spend? Shouldn’t we also make sure that once implemented, the solution will sustain control of the risk and prevent it from increasing again?

Because what we have historically done is just the opposite. We have tended to focus on a risk area and then examine the related rules and bring them up to date, eliminating those which are out of date or redundant and refreshing others to reflect the current realities. Simply installing an IDS/IPS is not going to permanently solve a security exposure. It must be continually monitored and adjusted to sustain its relevance to a changing operational environment. Risks shift, rules become outdated, and new vulnerabilities appear constantly.

What we have historically missed are the controls, processes, and tools to manage in an evolving reality, and the coverage, remediation and automated monitoring of the controls to assure continued relevance.

If we fail to build into our processes, remediation programs and security initiatives the ability to monitor future change, we expose ourselves to the inevitable growth and re-emergence of the same risks and vulnerabilities we have earlier dispatched. Which may be why our Boards are resistant to trust our rational for increased information security spend.

We don’t lack for examples of process and controls issues that have led companies to be breached. From Target to Yahoo to Equifax, we have vivid case studies that could accurately characterize our own company’s readiness or failure to prepare. Whether it’s a third-party vulnerability, a spear-phishing attack or a failed patch process, we have seen what not to do. And we also see what the actual costs of failure can be.

Either waiting for the next cool technology, AI or ML thingy that will solve all our information security problems or blaming our exposure on the lack of these tools are both bad strategies, because neither train will ever get to the station. We have perfectly adequate technology right now. What we lack are the process mechanics that will ensure the deployment of these tools is correctly aimed and managed to assure continual prevention, protection and defense against cyber-attacks. We lack basic training and awareness. We lack skilled resources, yet few of us seem able to hand the management and monitoring over to professional third parties.

If our CIOs and CISOs would focus on developing a complete, end-to-end process along with a set of controls for each area of risk and supplement that process with current technology, and then outsource all of the management and monitoring to people who possess those skills, we could have a better chance at not only containing and remediating attacks, but we would be able to improve our overall management and mitigation of risks over time.

Easy to talk about, but hard to do? Maybe. But one thing is clear. Doing it the other way isn’t working.