You can't win: Learning to live with security pessimism
Cybersecurity can, at times, feel like a thankless and invisible task. The punishment for a mistake is immediate and ruthless, the reward for success next to non-existent, because how do you recognize the absence of a breach? But this isn’t a new scenario; the IT industry has dealt with this outlook for decades. The job of an IT department is to be invisible, but when something does go wrong all eyes are inevitably on them to fix it.
In a threat landscape where there exists a constant push to innovate, adapt and breach, there are only three possible outcomes for the IT industry: defeat, indefinite struggle, or complete structural collapse.
Security professionals should not see their work as a battle but as a process. We must coexist, giving up on the idea that an all-out victory is possible, and instead adopting a mindset of, as I put it "security pessimism". The industry often uses the phrase "not if but when" to talk about security breaches. If such breaches are an inevitability, our struggle is not against the attackers themselves but against our own faults.
New hardware vulnerabilities come out year over year, software bugs are constantly being exploited, and even our vendor supply chain is a risk factor. What’s more, tools that are vital security for us can quickly feel like added friction to the average user. They view MFA (Multi Factor Authentication) as an extra obstacle to logging in for work, not a tool to protect the organization. As security professionals faced with this reality, we must assume that our data -- the ever-touted "most crucial asset" -- is captured by platforms that are on vulnerable hardware; running vulnerable software; serving vulnerable users.
The only way to fully encapsulate all these vulnerabilities into our security plan is to accept them. Accepting that our platforms are imperfect gives us an accurate picture of the problem that is in front of us. If we continue to view security as the sum of all of the tiny battles that take place between "attackers" and cyber "defenders", we lose vital context and long-term perspective.
The current psychological framework of cybersecurity is one of battle. The concept is a struggle between two opposing sides who are committed to defeating each other -- the cyber defenders against the invading attackers -- and the defenders must triumph. But the major flaw in this viewpoint is the existence of an endpoint, a victor and a fallen. In security, the defender cannot win, there is no big reward, the reward is simply that everything works.
To “win” the battle of security we must take a step back and gain perspective. We must understand the cause of a data breach is often the complexity of the systems we ourselves have implemented. Over time, the progression of technology has eroded the foundations we built. We need to shore those foundations up through better processes, new technologies, and critical observation of their failings so we don’t repeat our mistakes.
As an industry, we are moving towards a more holistic view of security -- overall a very good thing. Security as point solutions is a thing of the past, and it deserves to stay there. XDR, SIEM/SOAR, and the various types of security integration are all good news. What’s missing to me is the underpinning philosophy I’ve outlined above. Customers and Service Providers are still viewing security as a reactionary area: we only move forward or innovate when forced by our material circumstances. Although it can be argued that the practice of cyber-insurance has set us back years by funneling billions of pounds to ransomware groups, I will begrudgingly admit that it has also advanced security posture by placing a monetary incentive on top of better practices.
Ultimately, I believe we will have no other option than to accept these premises as part of our security plans. Remember, though, that since security is a process, we do not have to do this all at once. We can sneak up on it by slowly integrating more and more of our hardware stack, supply chain, and user base into our security policy with each iteration.
If you’re unsure of where to start, the security professionals at your company or your MSSP will almost certainly have some strong opinions. The best time to make your security policy better was before your breach. The next best time is right now.
Alex Reid is Product Architect at 11:11 Systems.