Cybersecurity Is Still Not Very Important

(With acknowledgment to and respect for Andrew Odlyzko's instrospective article, "Cybersecurity Is Not Very Important" -- https://www.dtc.umn.edu/~odlyzko/doc/cyberinsecurity.pdf)

The gawdy tech circus known as the RSA Security conference comes to San Francisco's Moscone Center this week. Motivated primarily by FOMO, fueled by hyperbole, exuding desperation, all shades and hues of security firms will vie for consideration, for the chance to convince you and me that their technology is more superior, their methodology more definitive. 

Is the marketing and PR spend that cybersecurity firms commit to RSA justified? Probably not. The circus is crowded, time is limited, and attention spans are depleted. Yet the show must go on.

We network, attend keynotes and seminars, work on certifications, filter useful info from hype, digest sales demos in hotel suites, digest drinks and dinners in restaurants. We briefly inhabit a cocoon of naivete, and make believe that security -- Internet security in particular -- really does matter to people outside the RSA echo chamber.

...

The truth is that security in all its aspects -- identity, access, privacy, risk management, response, awareness, compliance -- is still not considered to be very important to the organization, relatively speaking, despite the stats showing that security programs have expanded and security pros remain in high demand.

Companies tend to care a lot about security only when they absolutely have to, not when they need to. That's our embarrassing shared secret. It holds true for the employee, the consumer, the product team, the sales team, the executive management team, and the BoD. Humans, from the board room to the break room, are short term. Security pros have a hard time accepting this, because it diminishes what we do. Still, there it is. Secretly, we wish we could replace our logical human leaders with logical machine leaders. Then we could solve our security problems once and for all!

Nice fantasy. But corporations, with notable exceptions, are run and operated by humans, not machines. Immediate problems like servicing clients, generating new sales, attracting investors, completing a merger, and meeting payroll garner most of the attention. This is as it should be. Survival is the first order of business, not security.

...

For any organism, tangible, immediate risks to health and safety take precedence. For instance, humans are highly intolerant of being thirsty, or hungry, especially if they are also cold. We don’t have to be convinced to lock the car door, keep kids and dogs out of traffic, dress a wound, get a flu shot, or carry pepper spray while walking on a dark street at night. 

At the same time, we humans are tolerant and casual in our treatment of tangible but non-immediate personal risks, like not wearing a seat belt, not flossing, not eating well, not exercising, not getting enough sleep, smoking cigarettes, drinking too much, working too much, and stressing too much. We’ve witnessed first-hand what can happen when these risks are ignored; we accept them anyway. 

Obvious and ongoing shared risks also tend to escape human concern. They may be staring us in our faces, they may be publicized and televised, still we demure as long as overall economic well-being seems strong. Current examples: (a) The projected $1T US budget deficit, largest in history. (b) The current administration's denial of US intelligence agency expertise on matters of national security. (c) The denial of climate science evidence. (d) Cuts in Medicaid, including nutritional programs for poor children, to offset revenue loss from tax cuts for corporations and the most wealthy. (e) The neglect of public infrastructure. (f) A cult of personality in the Executive branch. (g) Toadies and sycophants in the Legislative branch enabling the subversion of the Constitution and rule of law. (h) The gradual slouching toward autocratic rule.

Collectively, we aren't doing much to acknowledge these black swan bombers on the horizon, or taking any measures to reduce their impact. So ask yourself, if catastrophic risks can't get our attention, why should the non-catastrophic risks in our security portfolio be treated differently?

...

Internet security risk, like cigarette smoking risk, or the risk of an economic collapse, can be accurately estimated in terms of likelihood, impact, and cost, but usually remains in the realm of the theoretical until a significant negative event occurs, and the triage and recovery begins.

While we are distilling the useful information from the hype at RSA or any other security conference -- whether drilling in on a risk-based vulnerability management and prioritization product, or attempting to comprehend the security offerings underneath Cisco's Umbrella -- we tend to forget that we work for companies led by humans who tend to avoid known security risks until they move from theoretical to actual. 

Our executive leadership teams are also humans with relatively short-term views, focusing on quarterly and yearly objectives upon which the survival of the company depends. In this view, the security program’s strategic initiatives are certainly something to consider, but rarely if ever the main thing to consider. (With notable exceptions.)

...

Truth is, security programs tend to be their own worst enemies (search for "brief lifecycle of the CISO"). Ironically, what we do to protect and defend the organization is often seen as making our co-workers lives more difficult, not easier. Sure, two-factor authentication verifies identity and secures access, but it doesn’t settle lawsuits or close deals or write code. Nobody gets up in the morning excited about two-factoring into productivity apps.

The anti-phishing platform that quarantines suspicious emails may prevent a successful ransomware attack, but it also quarantines valid, time-sensitive emails that can generate revenue. Nobody gets up in the morning eager to filter through quarantined emails that belong in the inbox.

Another truth is there is more work than a security team can accomplish. There are more gaps than a security team can cover. What we choose not to do can matter more than what we choose to do. In other words, shopping for security vendor solutions at RSA may not be the best use of your time, your department’s time, or your organization’s time.

We often encounter security product buyer’s remorse because we tend to underestimate the time and resources required for integration, configuration, maintenance, and security upgrades. How many times has this happened: Connect yet another security vendor’s product to your technology stack and -- Oops! unintended consequence! -- cause more usability and performance issues than were resolved!

And yet another truth is that information security teams tend to prioritize their work ineffectively. We make a show of addressing security concerns that are relatively easy to implement (endpoint monitoring comes to mind) but have little if any discernable benefit to the bottom line. We avoid addressing complex security concerns whose benefits are harder to convey (application security training, data governance and classification, compliance certification, privileged access management, customer data security), but can have a discernable positive impact on the bottom line in terms of productivity, customer service, and generating new business.

…

When our RSA guys and a few gals get back to the office, after absorbing, networking, eating, partying, and not exercising during their two- to three- day conference-slash-boondoggle, RSA will fade in memory. They'll pick up where they left off on the pragmatic problems du jour: responding to alerts, patching servers, infrastructure upgrades, facilities moves, decommissioning of obsolete Windows7 laptops and Windows8 servers, plucking false positives from vuln scan reports and pen test results, performing laborious code security review cycles, and trying to hire more qualified staff in a job-seeker’s market.

Very few security pros aren’t battling alert fatigue or juggling IT initiatives or facing a looming compliance deadline. We shouldn't attend RSA searching for a technological miracle product to save us. We should be looking to reduce our noise, streamline, consolidate, simplify, so that maybe, just maybe, we can clear the way for higher value work.

But for a few days at RSA we make ourselves believe that IT and Security wag the dog and not the other way around. The circus leaves town and we go back home to face the harsh underlying reality of our existence, which is that while being very smart and wise, and incredibly well informed about the smorgasbord of technologies we've witnessed, the security program has not positioned itself to be very important to anyone except the security program.