"Who's the Real MVP?" - The Shiny Toy Problem Facing Cyber Security

I know the following scenario will be incredibly familiar to certain people, whilst others may find it amusing or even controversial. It will depend on your experience, history, and position. Yet here it goes. Who reading this has been in a similar situation? So imagine it, there has just been a substantial cyber breach reported in your market sector and everyone is worried. The company fears it could be next and they know their security model has its own weaknesses. A meeting is quickly held between the hierarchy of how best to protect the company against this latest threat. Numerous opinions and arguments are had before the Company CEO stands up and announces that they had a meeting with a company only last week that claims that by installing their shiny, flashing lightbox on the network, it will solve all of the company's cybersecurity problems. Before you know it, every other point is dismissed and the company has spent an extraordinary sum on this new glossy toy, in the belief that they are now safe and sound and can forget about the cyber threat. Maybe you have been in this scenario personally, maybe not. Maybe you have read or have heard from colleagues of this scenario. Maybe this is a complete simplification of the scenario but the point is that any good security professional worth their salt or anyone for that matter will understand that this is not a proven method of securing your company against cyber attack. In essence and what this article is about is that there currently is an over-reliance on technological tools and not enough on other aspects of security. Tools are part of a solution, not the solution.

I do feel that over the last decade this scenario has played out all too often in companies that do not have a strong or even present capability with dealing and understanding cyber threats. This is not entirely their fault, more that cybersecurity as an industry has been massively underinvested in both importance and interest in the past. Cybersecurity is not a simple subject. It is hard to get right and easy to get wrong. It involves a lot of technical know-how and understanding that is a completely separate world and language to normal day-to-day business activities. Cybersecurity does not make businesses money (unless that is your business of course). It is a cost and it is only recently that the risk versus cost has slipped over into something that can no longer be ignored. Pre-GDPR, companies worked out that it was cheaper to just pay the fines for data breaches than build an expensive security capability. The GDPR, the rise of social media and an interconnected world changed all of that. No longer could companies hide data breaches or simply just pay the fines because it was cheaper than implementing security plans. Now the fines are in the billions and it's much more expensive to be breached than it is to implement security plans. It's simple risk versus reward calculations and everyone is now paying attention and playing catch up. Scrambling for resources that are not there currently.

Returning back to the security tool scenario mentioned in paragraph one and to my point with this article, which is not to completely lament the security software industry. Far from it. I believe it is very much required to fight the good fight against our current and future cyber adversaries but my point with this article is that far too much emphasis is being placed on technology and not enough on what I call the MVP of the cyber world. Now, unless you are an American sports follower, you may not know that MVP stands for Most Valuable Player but in this case, it can also stand for the Most Valuable People. And this is my point for the article. We need to somehow create a mind shift in our society that sometimes our best and sometimes only line of defense against these aggressors is not your network IDS, Phishing detection or even firewall. It is your employees. It's the people.

So let's look at some stats to bring some context to the story. From CISCO's 2018 Annual Cybersecurity study (link here) it found that 41% of organisations are using technologies and services from as many as 50 different vendors and that by 2021 the global spending on cyber technologies is expected to hit over ￡1 trillion. So breaking it down. How easy do you think it is to manage all these different security services and technologies across a business? To keep them operating, updated and secure on a daily if not hourly basis? The answer, of course, is incredibly difficult. Out of those companies that had 50+ different technologies it came as no surprise that over 55% of them admitted that they found it 'very challenging' to administer them. However, again no shock or surprises followed when the companies who had 1-5 technologies within their networks reported that just 8% reported it being very challenging to manage their technologies. Of course, this is all context dependent and some companies will require lots of different technologies to run their scope of business but are you telling me that there is no opportunity to maybe reduce the requirement and push the funding to something else?

What could we otherwise spend our funding on that may protect a business just as well as flashing light technology? I hear you say that it is all very well me slamming technology but the world is in a crisis when it comes to cybersecurity personnel with a skills gap reported around 3.5 million by 2021. Despite budgets and importance growing in terms of cybersecurity, one of the greatest obstacles managers are seeing currently is a lack of trained personnel who can fill these roles. However, let's say you do manage to find these elusive individuals, guess how tough it is to keep them? Just so you know, nearly 50% of people working in the cyber industry are approached by recruiters at least once a week for new roles. So you now need to somehow retain them once you have got them or else you will just be throwing recruitment costs at these positions every six months. So, even if businesses want to hire them, they are not out there to hire and once you have them, keeping them is even harder. It is never easy, is it?

So doing a little personal analysis, maybe this is the reason behind the rise in security tools and software over the years? Is it because there literally isn't anyone to fill this skills gap, so technology has filled it for us? It is unsustainable to keep recruiting every 6-12 months for the same role because they keep getting poached by rival firms and people have to go home and criminals work around the clock. So it makes sense right? Replace these positions with a never sleeping, always on guard, never makes mistakes technology solution. But have we lost our way and stuck too much responsibility on the machines?

My argument is that we have. I always say that the principle of security is consistently fighting against the desire for convenience in this world. People want everything quicker, continuously and at their fingertips at every point in their lives. The CIA (Confidentiality, Integrity and Availability) triad cannot cope with this and guess what suffers at the hands of consumer convenience demand? That's right, security. A company that can push out its new Wi-Fi enabled kettle within six months at ￡19.99 is most likely not going to abide by the principle of privacy by design and delay launch by a further six months and raise the cost by ￡10 so that the firmware can be updated manually with an accessible systems security option menu for customers to keep them secure. No, they are going to go cheap and fast to market so they can make the most money and we are seeing this scenario all the time with the rise of the Internet of Things. So, I have laid bare the issue, explained why I think where we are where we are so it's about time I provided my thoughts on how maybe we solve it. So I will offer three things I believe that need changing in order for us to solve this wicked problem.

Can't Find Them So Build Them

As we have a very well documented skills gap in cybersecurity that is not going away any time soon, we are not going to suddenly find ourselves inundated with people who are skilled enough to fill the boots of over 3 million unfilled cybersecurity roles. So if we can't find them, companies are going to have to build them. What do I mean by this? I mean companies should start investing now in their own academies of excellence. They should start to integrate with Colleges and Universities and create pathways and routes into companies. The academies should be able to train the current workforce and also provide specialist training to retrain in more complicated subjects. If you need a cybersecurity manager, a network security engineer or an incident responder, why not train them in your bespoke academy, that trains on your own software, knows your company values and creates a sense of belonging because the company has invested in them. It is an excellent way to generate loyalty with employees as well and making it less likely for them to leave. If you do not have the funds or lucky enough to create your own specialised academies then the next best option is partnering with industry partners. Work together with companies who can develop and build the capability you require. Basically, build your own MVPs.

Human Resources Need Some Help

Like I said earlier, cybersecurity is a difficult subject to understand, so imagine how hard it is for someone who isn't trained in it, to then scope and pick candidates to join the company in those roles? So many good people get dropped and do not make it to interview because the HR person doesn't understand their CV or skill sets. Or the biggest faux pas is the requesting of an unachievable level of qualifications for a role. You want a junior analyst to have CISSP, CISM and OSCP, that is literally impossible and ridiculous. HR needs to be either trained that you do not need to be a programmer or be able to reverse engineer malware to be successful in cybersecurity. You can work a technical role without being able to script, write code or build virtual machines; don't get me wrong it helps but it is not the end of the world. For example, it's like asking a person going for a goalkeeper role in a football team if they can dribble at full sprint with the ball and shoot with both feet, disregarding the fact that they are statistically the best penalty stopper in the league and failing them for the job because they didn't tick all the boxes. The whole picture needs to be looked at as sometime the most desirable skills are not even technical but rather personality-based.

A Balance Between Human and Machine

For me, if we could show the executive boards of companies the impact that a well trained and motivated individual can do against cyberattacks compared to a machine, I think this over-reliance on technology would disappear relatively quickly. If more investment or a balance can be placed into people in terms of training and jobs rather than in security technology just because it costs less in overall terms to the business, then we may start winning this fight against the attackers. Because news flash, we are not winning this battle against the cyber threat actors. These attackers know that machines and software are vulnerable, they can be breached and exploited eventually and the rewards are massive. What makes a business secure is a person that can build an in-depth security model, that has resilience, can respond quickly when required, has the right balance of people in the right roles and fuses both physical and cybersecurity together and most importantly maintaining its integrity. If this can be achieved then the business will make itself a much harder target for attackers, who will always go after the low hanging fruit instead of trying to crack the castle fortress. So, my thoughts are you will never erase the human element in security, you will also require people because at the end of the day, even with all this technology and security, you still need someone to analyse its output, configure it and manage it on a day-to-day requirement. Without a human doing all of this, your shiny black, flashing box is about as useful as an unpatched publicly facing Windows XP machine.

If you have any questions or require any assistance regarding your own cyber security issues, please call us on 01273 060080, email us at [email protected] or visit our website at Crucial Academy