Why Security leaders should not aim for 100% Security.

There is no such thing called 100% Cyber security. Here are my thoughts on why?security leaders should not aim for 100% Security but focus on continuous improvement in various areas that contribute to improvement of overall security posture.?

Adversaries will always be ahead of us?

We will always be behind the adversaries since their primary business is to attack which drives them to develop new techniques to attack the victim. All the security solutions available in the market or the security best practices used by the security teams in organizations are developed based on?adversary's?techniques hence we will always fall behind since we must wait to learn from adversary's new methods before we can develop the new security processes, tools, or patches. We will not be able to anticipate adversaries' future steps and methods to attack us hence will never be able to stay ahead of them.?The adversary's mindset and the primary goal is to attack a victim that drives them to do what they do. On the other hand,?as an organization, our primary goal is to focus on our mission, and we must protect against anything or anyone that can hinder the path to achieve our goal hence our actions against cyber-attacks will be limited based on our knowledge in the domain and limited resources we have.?

Digital transformation and Zero-day vulnerabilities?

In the current digital age, organizations are adopting more and more technologies to make their business operations more efficient and cost effective. Due to the huge demand of such technology solutions, solution providers build the products to cater to the demand. They are constantly under pressure to release the products to the market as early as possible to stay ahead of the competitors. Since their focus is functional products, security is always their second priority. This results in vulnerable products which could put the customer's critical infrastructure and sensitive data at risk.?Also, it is not practically possible to anticipate and discover all the possible security vulnerabilities which are called Zero Day vulnerabilities. For this reason, their approach will always be reactive since they must wait for the Zero Day vulnerabilities to be discovered before they build the patch.?

Lack of security awareness?

The most important asset for any business is their workforce yet it is highly ignored when it comes to protecting crown jewels and critical information assets. Based on many data breach surveys and reports, it is evident that the human is the weakest link, but organizations always look for the technology protect against data breaches and attacks and not focusing correcting the human behavior that can prevent the attack. I am not denying the fact that technology is important, however, human behavior towards cyber security should not be ignored.?

The reason why humans are one of the major reasons behind data breaches is the lack of security awareness. Any employee who works for an organization has certain objectives that contribute to the overall business goals. When you reach out to staff asking for some actions towards protecting data or information asset, you often come across responses such as "We are already in middle of something important and we will do your task later". This clearly shows their?seriousness towards security. Such negligence happens because they don’t see a value in cyber security. Often, staff including senior management, do not see value in security since there is no tangible outcome or monetary returns. This will make their attitude towards security reactive rather than proactive. More and more tailored security awareness for various target audience can change the way they look at security which in turn helps protect the crown jewels.?

What's?your take on this? Please share your thoughts.?

#cybersecurity #securityposture #securityawareness #securityriskmanagement