Cybersecurity is broken
At least, that is what one expert has to say in a provocative piece in SC magazine.
Here are some excerpts, but I recommend you read the short article.
The author, the CEO of a software vendor of cybersecurity products, starts with these points:
…user-driven technology has progressed so rapidly that it has significantly outpaced technology’s own ability to keep data protected from misuse and guarded from cyber vulnerabilities…….
A lack of reliable security is the price we’ve paid for this eruption of amazing new cloud-based services and keeping vital data out of the wrong hands is an uphill battle.
He then spells out a truth that we should all acknowledge:
Anyone who tells you that your data is secure today is lying to you. The state-of-the-art that is cybersecurity today is broken. There must be a better way. But don’t lose hope, there is.
The article then takes a new direction (at least for me):
CIOs today need to adopt an entirely new security philosophy – one that hinges on the fact that your files and information will be everywhere……..
If we can build a new security approach from the ground up based on the premise that data will escape, and are then able to secure everything no matter where it is, we end up debunking the concept of the “leak” entirely.
I do agree that the traditional, exclusive, focus on preventing an intrusion cannot continue. He says:
That’s why my biggest frustration coming out of the recent Sony and Anthem hacks is companies opting for reactive solutions to fortify firewalls and secure siloed tunnels of information. For example, there was a major uptick in company-wide email-deletion policies in the wake of the Sony attack. Now that’s just dumb. Those are band-aid strategies that fail to address the heart of the problem.
He continues to press his point:
Maintaining a level of security in a boundaryless world means security and policy follow exactly what you’re trying to protect in the first place — the data……
Usable security, where users can choose how they want to access, store and share data, can only be made possible by providing a seamless user experience, so security is integrated into the daily work of everyone. A great user experience is one major obstacle security vendors (and arguably, all enterprise services) have yet to conquer. If we can do it, we will move away from panic-inducing scare tactics used to encourage adoption, and instead empower users with a solution they actually like to secure data…..
In order to be a security company, enterprises need to rethink a few things. First, users have to be in control of their data at any given point in time and should be able to revoke access when they want by utilizing familiar technology. They should have complete peace of mind that their data truly stays theirs. Second, in a cloud and mobile world there are no real controlled end-points anymore, unless we want to take a step back into the stone ages. And third, the firewall model is broken and trying to extend the perimeter out simply doesn’t work anymore. It’s about protecting the information, wherever it is, and not about locking everything down where it’s hard to access, use and share for your employees and partners.
So he is presenting a new cybersecurity world where the security follows the data, using encryption and other methods.
I think that is something that every organization should consider – especially encryption.
But is it enough?
For a start, how secure is encryption in the face of the sophisticated attacker? Maybe it is reasonably secure now, but we cannot be sure it will remain secure. Consider how encryption was broken by researchers, with the story told in this 2013 article.
I think you need at least three levels of protection: prevention, encryption, and detection, followed by response.
We can no longer assume that the bad guys cannot get in, and I am reluctant to assume that my encryption will not be broken if they have time.
So, we need the ability to detect any intruders promptly – so we can shut them down and limit any damage.
Too few have sufficient detection in place. Just look how long hackers were inside JP Morgan, and then how long it took the company to expel them!
I welcome your views.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
The source article is well worth reading, however your summary was an excellent summary of the required, essential, shift in thinking required to achieve actual cyber security. Thank you.
I like your approach, Norman. Ajay makes some good points, but when he states that “users have to be in control of their data at any given point in time and should be able to revoke access when they want by utilizing familiar technology” he has presented us with a paradox. Users in general do not know about data, privacy, security or access controls. Any attempt to make user control of data “easy” will open the door for hackers to control that data instead.
The defense in depth strategy has been a standard for many years and continues to be the most effective approach, as you’ve pointed out many times. Your points here about prevention, encryption, detection and response are also good examples of a multi-tiered approach.
Your comments are on the mark Norman. The basic issue is the IT world sees and fights everything on a micro (tactical) level. Unfortunately they are not trained to look at the macro (strategic) picture.
This lack of strategic perspective in the IT world starts with the release of hardware and soft ware that isn’t ready to be released as they use the public to do their deep beta testing as in an effort to limit the economic cost of the product. Hackers search and find and exploit the product vulnerabilities at a time of their choosing. Thus the hackers are always one step ahead of the IT world.
Nothing connected to the internet is safe for any amount of time. Users have to learn to stay one step ahead instead of one step behind.
While it is true the IT world releases hardware/software out to the public without deep testing, it is not because IT wants to…. but because they are found the market won’t pay for a product that has been completely tested. Testing is a very expensive activity. There are options for security, and mostly the market won’t pay for them… or end users find them to difficult to work with… Sony didn’t even have a CISO until after the intrusion impacted their end users…. .
Reactive policies are generally a sign that the enterprise wasn’t willing to pay for security until after an event.
Great observations, Norman. Contact me if you’d be interested in writing about this topic for Corporate Compliance Insights.