Why have we failed and what do we need to do?
In watching the most recent high profile, and very costly breaches, I’ve begun to ask the question "Why have we failed and what do we need to do?" We’ve failed. As I enter the twilight of my career in our industry, we haven’t gotten better -- breaches are more expensive, they’re more difficult to remediate, the economic destruction is real, and people get hurt or die as a result of cybersecurity breaches. Why? Where did we go wrong, and what do we need to do to fix it?
The first question I asked myself is, "What do we do well?" We’re an industry of incredibly talented people. Over the years, we’ve learned to collaborate and share information (which, we didn’t start off doing), and we have no shortage of tools. Our tool chest is loaded to the gills with capability. We also have boards and executives who are more cyber savvy than ever before. When I started in our industry over two decades ago, I couldn’t explain to a board what cybersecurity was with a PowerPoint presentation. Now, they’re all concerned about the issue and paying attention.
So where did we fail? I do not have all the answers, but I have a few thoughts and I’d love your perspective on this topic. I do believe by any measure we’ve failed. We’re more inaccurate than the weather forecaster when it comes to predicting outcomes and fall woefully short when it comes to preventing bad stuff from happening. It is not conclusive, but I think it comes down to five fundamental mistakes we have made since I started in this profession over two decades ago:
- Lost Technical Advantage -- We have forgotten that this is, by and large, an engineering and technical discipline. We were enamored with talking to "the business" and dissecting the details of risk. We’ve lost the technical edge, while our adversaries simultaneously have gone "deep" into the tech. We started off as an industry of "geeks" and we have allowed ourselves to be an industry of checklists. We need to get back to our roots as technical practitioners. We used to be an industry of technical people, but we’ve put that aside.
- Not Considering it Warfare -- We do not treat cyber as a true dimension of warfare. We have an Army, Navy, Air Force, Marine Corps, Coast Guard, and recently, we created a Space Force. But we have never treated cyber as a battlespace -- cyber has emerged as a method for our enemies to attack us. It makes sense -- it’s asymmetric warfare. Most of our enemies wouldn’t notice if we shut off the Internet in their home countries because they don’t depend on connectivity and applications to the degree that we do. We have the nukes, but we need the Internet to get food delivered to the grocery store.
- Fear versus Fact -- In the mid-2010s, we stopped talking about threats. We were concerned about "Fear, Uncertainty, and Doubt". We quit talking about what the bad guys were doing because we didn’t want to be fear mongers. The problem with this is that we didn’t enable ourselves to be adaptable. Instead, we got complacent with 3–5-year budget cycles and cut ourselves off at the knees regarding our adaptability. In other words, we gave our enemies an operating window. They know our frameworks (HIPAA, ISO, PCI, NIST), and have figured out how to exploit the weaknesses of those frameworks to do us harm. We buy security products for 3-5 years and the bad guys think about how to succeed in the next 200-300 days.
- Crickets from our Government -- Our government has failed us. Try invading California and see what happens -- the enemy would be met by an amazing amount of military power. But we’ve become desensitized to ongoing cyberattacks. I believe it is a direct result of most of our elected officials lack cybersecurity knowledge. As a result, we don’t have a comprehensive stance on how we should address and mitigate such attacks. The enemy is a group of hackers, while we have technically deficient politicians writing public policy about a domain they do not understand.
- Lack of Standards -- Our professional standards don’t reflect the seriousness of our industry. Doctors have Boards. The legal profession has the bar association. Quite frankly, our professional certifications are lightweight. I regularly enjoy quizzing industry people who have alphabet soup certifications in their title yet functionally know nothing about what we do for a living.
What do we need to do?
- The Right Talent: This is a technical and engineering profession. Despite the "talent shortage", we need to stop hiring checklist experts and hire smart, talented, engineering-oriented individuals. Our industry isn’t rocket science, but it’s also not a game of checkers. We need chess players.
- Weaponize our Responses: We must treat cyber like a dimension of warfare. There are enemies, threats, vulnerabilities, countermeasures, and risks. We must treat our profession like a battle space. If we are determined to pretend it’s a paper-pushing business job, we will continue to fail.
- Facts over Fear: We must get out of the "I don’t want to scare the boss" game and start talking about relevant threats to the businesses we are charged with protecting. It’s not FUD to talk about what the enemy is doing. It’s our job to know and we need to effectively communicate it to our non-security stakeholders.
- Government Action: We need our government to treat cybersecurity as an issue of national security. We need public policy that recognizes that the private sector cannot solve this problem alone. We need foreign policy that tells our enemies that we consider cybersecurity a dimension of warfare and as a country, we reserve the right to respond to cyber-attacks with whatever method we deem necessary including kinetic warfare. It’s fair for us to say, "I reserve the right to bomb you if you shut off the gasoline supply to the east coast." It’s fair because we are an advanced and connected society. Cyber-attacks are incredibly damaging to us compared to an equivalent attack against most other countries.
Cybersecurity is my life’s work. When I am gone, it will be the thing people talk about when they think of me. I love what I do for a living. We really, honestly have failed at our jobs. This is my viewpoint on why we have failed and what we need to do about it. What’s your perspective? What should we do to right the ship and fix it?
Photo Credit: Leszek Glasner/Shutterstock
J.R. Cunningham is Chief Security Officer, Nuspire. An accomplished innovator and premier thinker in cybersecurity and risk management with a proven track record of success, J.R. Cunningham has performed executive consulting, architecture, and assessment work across the globe and in a wide variety of industries including finance, insurance, healthcare, education, intelligence community, retail, and government. J.R. is noted for leveraging his IT, security and business acumen to build industry respected consulting practices for Optiv and Herjavec Group.