I’ll caveat up front to say my vantage is limited, so what follows is simply my observation:
We are losing in cyber.
Having a solid InfoSec construct, spending millions on tools, training, best and brightest personnel are all important to survival, minimizing our vulnerability. We have sharing groups, vendors, regulators – but we are still losing. Why?
In part it’s our enemies; whilst we have talent, they have hunger. Thousands of people who base their living on remaining faceless, exploiting every vulnerable avenue – they eat, sleep, breathe cyber. These people have the means of working the existing systems, in some cases with limited repercussions for getting caught. Traditional methods and practices aren’t evening the odds stacked in their favour and for every one we remove, eighteen months after the attack, three more replace them. We speak of antifragile industries, this should be our baseline. A decentralized digital hydra.
In part it’s because of our limitations. Despite all our contacts we fear liability and remain largely isolated. We create defense-in-depth to harden the target, exploiting the attackers’ penchant for finding easier prey. So they do, using our connections with those weaker than us to attack indirectly. We can divert and respond quickly, mitigating the threat each time it comes to our gates. Trouble is our castle is purely defensive – we have no offensive capability, the offenses we can support are overwhelmed, the focus is on absorbing or deflecting the attack. We aren’t striking at the root as we are unsure what the core is. Not even certain there is a core – we tend to project conventional structures to guerilla operations for our own attempts to understand. The parts we see are decentralised, having portions operating as service models. Even when we find pieces, we aren’t certain what to do. Initiate a domain takedown for a site emulating ours? Great, so they open another we have to find. It’s like playing rugby with our hands bound – the stoutest props will be taken down by a lucky hit among thousands. They really only need one.
You think it’s bad for us? How about those who haven’t money to spend on security? Our major clients may not have to worry, but the small ones certainly do. Our customers even more so. We are losing. Individually, collectively, and organizationally.
But hope is not lost – we simply haven’t found how to readjust to our new game. But we can.
It will require open discussions, creativity, and more than thought. We need to walk things back to execute in achieving goals. Every day we start somewhere.
- It will require a culture shift; then another, and another.
- It will require conversations often assumed to be held elsewhere.
- It will require crisis.
- It will require failure.
- It will require faith in recovery and not accepting the losses.
- It requires reframing our ecosystems.
We talk about being the best for our clients. Cyber is where the need is still gaping. We need to find how to fill it, as no one else has tried yet.