The Greatest Threat to Cybersecurity is the Cybersecurity Industry
It’s true. Having analyzed hundreds of data breaches — and the corporate mindsets that preceded them — no other conclusion is possible.
In a frantic scramble to stake their claims to a meaningful share of client budgets, IT security companies have propagated a series of myths that may ultimately leave their customers in worse shape than they were before, if for no reason other than instilling a false sense of confidence. Let’s unpack a few of them.
Products solve the problem. Buy our firewall. Buy their anti-virus application. Buy someone else’s SIEM solution. Far too many IT departments remain product-centric. Without question, the tools that comprise a state-of-the-art security solution are important. The artisans who wield those tools are more important. But that truth can get lost in the information overload that spills forth from industry leaders motivated to sell more appliances.
Moving to the cloud eliminates the problem. It’s tempting to believe it, because who has more money to throw at cybersecurity, your company or Microsoft? Your company or Amazon? But for all its utility, the cloud does not bolster the security of your most sensitive data. In fact, with a security-oblivious user base, moving to the cloud could actually add to your risk. (That doesn’t necessarily make migrating to the cloud a bad idea.)
Encryption solves the problem. Ever since Bitlocker showed up in Microsoft’s late, lamented Vista operating system, the notion that drive encryption is the key to ensuring corporate cybersecurity has been a difficult one for many organizations to shake. Especially those with a mobile workforce. But while shoring up the problem of lost or stolen laptops and other mobile devices is a worthwhile undertaking, it is far from the only vulnerability that needs ongoing attention.
Testing solves the problem. Penetration tests are important, but not all pen tests are equal. There is a vast difference between automated assessments and professionally managed pen tests. A canned assessment can point IT administrators toward areas that demand attention, but the results are essentially superficial. Engaging with highly-skilled and experienced security professionals for your pen tests will make the subsequent reports substantially more useful. But they will always represent your status at a moment in time.
Compliance solves the problem. Regulatory mandates provide only a baseline for general security principles, not a platform on which to build an effective security program. Regulations are about establishing minimum standards. They are not designed to keep abreast of or respond to changes in the threat landscape because that landscape moves rapidly, and regulatory bodies do not.
So what can you do?
Stop looking for a magic bullet. Never believe that one solution ensures your cybersecurity. Each of the above approaches is important, but only in tandem with the others, and with such components as security awareness training and a comprehensive approach to security policy development and enforcement.
Stop thinking of cybersecurity as a problem to be solved. Rather, accept that it is a risk to be managed. And like all business risks, it is best approached holistically across a broad front, consistent with the risk management model used in finance, expansion, capacity planning, and other critical areas of the corporate environment.