Last week, I participated in a webinar about SC Magazine’s Breach Survey. The survey was sent to a group of Chief Information Security Officer’s and included security-related questions, such as:
Do you think your company is taking steps to protect critical data? 89 percent say they are.
What is your security staffing makeup? 91 percent say they have the same level or have increased staff to support IT security.
Have you strengthened security awareness training for employees? 83 percent say they have.
So, why are we not making any progress in preventing intrusions? Most blame the sophistication of hackers, the rise of advanced persistent threats, the ease of buying exploits (the loot) and the collaboration among cyber criminals that make it impossible to defend. But I disagree. I blame our industry.
According to the SC Magazine survey, we are all doing something; but we aren’t doing the “right” something. If you read the Verizon Data Breach report released last week, you’ll notice that they’ve identified the same trend: we’re doing more, but succeeding less. We’re all doing something to make us feel better, but I think we have confused activity with effectiveness. For years, I used the analogy that cybersecurity was like a sick patient asking a doctor to write a prescription for drugs that will cure the sickness. A prudent doctor would say, “eat better, get some exercise, sleep more and it will go away;” but, most would rather take a pill. This is the same with cybersecurity. We don’t want to understand business risks, identify and locate critical data, and understand data flow availability with appropriate access control, and set policies for audit and enforcement. We just want to buy a box that that fixes everything.
Recently, I’ve updated my analogy to create a comparison to the weight loss industry. Instead of changing your lifestyle to eat better and exercise more, we’re trying to take the easy way out. So, we’ll buy pills, shakes, meal plans, exercise machines or magical belts that help you lose belly fat while watching TV; but the reality is, there is no one single right answer for everyone. Effective diet and exercise programs are dependent on several factors including your sex, age, genetics, current and previous physical activity and diet history. Different approaches work for different people. The same is true with security. It’s individualized, but we don’t want to believe it; so we try the magic box that our friends bought to protect them or some network sensor that has worked for a small subset of organizations and complain when it doesn’t work for us.
This brings me to the real problem: we are afraid to change. I don’t think it’s because we fear the “hard”. It’s that we fear the “different”. It also doesn’t help that we are also being bombarded with conflicting information like, “watch the network, and the endpoints and worry about the malware”. Then, we get confused and paralyzed when it’s time to make a decision and in the end we stay with what’s familiar. We become resistant to changes, even when faced with unarguable evidence that it isn’t working.
The short answer for your health is to go to your doctor and listen to what s/he tells you to do to improve your health. For your enterprise, if you don’t have the expertise to do it yourself, seek a knowledgeable, independent security consultant to help you identify your business risks, develop policies, processes and procedures to manage your risks and then identify technology that supports the process. Next, hire or train good people to manage and monitor those systems. Technology shouldn’t replace people; it should make them more efficient and effective.
– Rick Doten, DMI CISO