The Cybersecurity Industrial Complex: A Call for Change
I have a theory, not yet fully developed, but the seed of an idea: We exist within a Cybersecurity Industrial Complex (CIC) from which detrimental systems have sprouted. (NOTE: I’m not the first person to use this term - Malcolm Harkins used something basically equivalent in his 2019 blog post, “The Rise of the Cyber Industrial Complex” and Edward Snowden talked about the concept here in 2013.)
This complex includes cybersecurity vendors, managed service providers (MSPs), systems integrators, non-profits, NGOs, cybersecurity certification organizations, auditors, government agencies, industry conference and event organizations, and various organizational security programs. According to McKinsey & Company, “the world spent $150 billion in 2021 on cybersecurity, growing by 12.4 percent annually.” Grand View Research estimates the global cybersecurity market to be more than $222 billion in 2023, growing to more than $500 billion by 2030. That McKinsey & Company article asserts a $2 trillion market opportunity in cybersecurity. Clearly, we are spending a lot of money on solving the problem.
Yet, despite the extensive CIC infrastructure and the money we spend on it, we continue to see increases in attacks and compromises - because we still face basic security program challenges such as asset management, configuration management (including system patching), and dealing with sophisticated cyber threats. Even the “best” organizations are getting popped.
Given the four truths I previously discussed and the state of the CIC, our cybersecurity industry system seems broken. But what incentive is there to change?
The status quo benefits vendors, MSPs, certification organizations, auditors, and systems integrators. NGOs and non-profits, despite their admirable missions, have also become part of this status quo. The US Government tries to drive change, but many distrust these efforts, and their purchasing power is limited (just look at the mixed results of SCAP and other security automation standardization efforts).
This brings me to a crucial question: If we could reimagine a different cybersecurity infrastructure, what would it look like?
I believe we need at least two things:
Imagine if your laptop could broadcast its configuration state to an aggregation service in a trusted way. What if your cloud environment could spill out its configuration state using a common standard? What if network operations generated events conforming to a common information model?
领英推荐
Standards folks often say, “We have a solution for that in standard X or specification Y.” They’re not wrong, but the issue is that their solutions are not natively integrated into the technologies enterprises operate, and they’re not nearly ubiquitous enough. It’s like the classic XKCD comic about competing standards.
I don’t have a fancy solution to this problem, but I see the proliferation of cybersecurity software and services continuing without any real reduction in attack efficacy. A common information model might not be a complete solution, but it's something we’ve never fully realized, perhaps because we never really looked at is as a problem solvable by taking into account principles of a data-centric architecture.
There is some hope, however. I came across this post from Elastic, “Free the data: Why US federal agencies should standardize on OpenTelemetry” (read more about OpenTelemetry here). That post talks about standardizing specific observability data (think traces, metrics, and logs; I’m not sure if configuration data would be included in that mix yet) and, citing a report by Garland Consulting, states “reducing vendor lock-in by just 5% could produce a staggering $750 million in taxpayer savings every year.” That’s just the federal government. I wonder what that number would look like extrapolated to the global cybersecurity market, and I wonder what other similar examples exist in the market (it might be time to revisit my standards mapping).
We need to keep in mind that small businesses (argued to be the driver of the US economy), non-profits, and underfunded government-related entities (think K-12 education), which lack the resources for robust security programs, are particularly vulnerable. They may not always be the biggest targets, but they still have valuable information worth protecting - and it seems that they’re targeted more often as the years creep by. If more security program support were native to the technologies they use, they would stand a chance of standing up and operating a reasonably effective security program. If they have to rely on the CIC status quo, they don’t really stand a chance.
Additionally, if the status quo continues, cybersecurity insurance and operational costs will be passed down to customers, who will bear the financial burden. (It always comes back to us - what are we willing to tolerate?)
We need to do better. CISA's secure by design campaign encouraging technology vendors to build security into the design phase of products is a good start, but can we accelerate this? Can we enable it at lower technology levels (i.e. under the hood)? Is there a coalition of cybersecurity standards organizations willing to work on a unifying model?
The easier security programs are to implement and operate, the fewer organizations we need from the CIC. If our everyday technologies natively supported security, many of these organizations would become redundant. There is no incentive for the CIC to make security programs easier because it threatens their existence.
Why doesn't this happen? Those with the power and resources are stuck in the "default mode network" of the CIC. They lack the time and motivation to break out and innovate.
Are we stuck with the CIC? Maybe. Maybe not. I want to try to change that by doing the work CISOs want to do but can't. Who's with me? Where are the holes in this approach? Who believes we can create the future we want?
Experienced Product Manager With 6 Years Of Cybersecurity And 20 Years Of Product Management Experience
8 个月Adam, I believe that you put your finger on a significant problem. We are focused on our own silo and are ignoring the systemic whole. As a data point, how many copies of the asset inventory does a company have? Finance has one for onsite depreciation. VM does scanning and creates one. IT has one for configuration management. And none of them are complete. In my work with incident response groups, we've regularly found that many companies have difficulty even giving you an accurate asset list. In one conversation with a Canadian bank, they knew that something was connected to the network but didn't know what 30% of the devices were. What you are describing looks like a centralized single source of truth. I like your thinking.