Let’s face it; no credible cybersecurity professional wakes up in the morning and says, “today, I want to screw up.” Yet, despite best practices, best efforts, and best minds, the existential threat that Chief Information Security Officers (CISOs) face is daunting and seems to occur as if ‘history is repeating itself. What are the existential reasons that we must ask ourselves to change this dogma? As I contemplate this question, I am reminded of what Albert Einstein once said: “Not everything that can be counted counts, and not everything that counts can be counted.” So, whether you agree or disagree, consider the following as strategic anchors as means to solving your enterprise security strategy.
Fail Reason #1 – We focus on all vulnerabilities.
We focus on the vulnerabilities. The problem is that everything is vulnerable once it is plugged into the Internet. Last I checked, there were over 100 million vulnerabilities and malware samples to exploit those vulnerabilities identified over the Internet’s history. The incentive to find vulnerabilities is big business. Every single antivirus / Internet security company has a stable of folks who make a living discovering flaws in the code and ways to exploit them. Add the thousands upon thousands of independent researchers who perform that task as well. Then add an equal number of national and state employees who do it, and you have a constant flow of vulnerabilities being discovered.
Moreover, every single person on that list gets paid in some way for their efforts. We now even offer “bug bounties” where many companies, including the U.S. Army, will pay you to find a vulnerability on their website. There is an entire economy focused on discovering vulnerabilities and developing code to exploit the vulnerabilities. However, unless this economy is disrupted, this process will not change, and the cybersecurity industry will never get ahead of the threat. We will continue to defend everything from everyone, and therefore we will protect nothing.
Fail Reason #2 – The Irrelevance of Whitelisting
Whitelisting. What about only allowing the known good? Known as “whitelisting,” this refers to blocking any program, I.P. address, or email address not on an approved list. Why can’t we just do that? Unfortunately, we aren’t able to because most companies struggle to get a handle on all of the programs/apps that are currently run in their enterprise. Computers are sold with so much unnecessary code, called “bloatware,” that it’s challenging to know what is necessary and what can be removed. Of the many processes running on any given computer, how much of it is essential, and how much could go away? I doubt anyone truly knows. The upfront time and effort to analyze this is very disruptive. How many small companies can afford this practice based on everything else on their “to do” list? Not to mention, the cost to large companies may not be reasonable either.
Fail Reason #3 – Poorly Executed Compliance.
Compliance. Great idea, terrible execution. The idea behind compliance is that it is comparable to safety standards for a car. Follow these rules, and you are more secure. But I guarantee that I could build a compliant I.T. enterprise and not be secure. I could also build a secure I.T. enterprise and not be compliant. And because there are fines that occur with being non-compliant, that becomes the priority. Compliance is supposed to set the baseline. Instead, it creates a culture more like accountancy, focusing on recording, classifying, and reporting transactions for an organization’s status. We fail to recognize that compliance leads to complacency. The DoD is making the industry meet compliance standards for data protection that may or may not affect their goal. After all, is said and done, an individual will still be able to send data to anyone, anywhere via email using all legitimate accounts.
Fail Reason #4 – We don’t truly deter The bad guys.
The bad guys. We forget that there are people behind the code that are trying to break in. The Government does very little to deter any threat. Jail time? Most ransomware comes from overseas, and the perpetrators are protected. Many countries have subculture micro-economies supporting hacker groups. They have celebrity status, much like Robin Hood. As long as they pay off their local officials, they are untouchable. And in cyberspace, if you try to defend yourself against a hacker by hitting back, you go to jail. It violates the Computer Security Act of 1987. Think about it, I can shoot someone for coming into my home to defend my life or property, but if someone tries to steal my intellectual property and I attempt to stop them with an attack, I will be arrested.
Fail Reason #5 – Cybersecurity is not a technology problem.
Cybersecurity is not a technology problem. We have so many mouse traps out there; it is ridiculous. Even if a CISO wanted them all, they couldn’t afford them, and then they would have a training gap anyway – because they wouldn’t have the staff to make it work. The cybersecurity industry suffers from an overburdened and untrained staff. Every conference on cybersecurity talks about two things – workforce training and workforce availability. Nothing has changed in 15 years. Formal education fails to create a pipeline of competent workers because their graduates may be book smart, but they lack the motivation or experience to be effective in most cases. Industry certifications are supposed to establish trust and credibility within the workforce. However, most of them are worthless measures of someone’s abilities. I have met too many I.T. folks who have multiple certifications yet do not know how to put any skill to practice. Government, industry, and academia must focus on identifying the PROFICIENCY, COMPETENCY, & MASTERY for each skill required for cybersecurity. Then, and only then, can they build programs to meet those skill requirements! There are no common criteria or standards focused on skills required for proficiency, competency, and mastery for positions in the cybersecurity field.
As I list these five reasons, it brings back another adage that Albert Einstein said: “The definition of insanity is doing the same thing over and over and expecting different results.” For us, as Chief Information Security Officers, we must continually pursue and adapt and re-examine, or we will become extinct.
About Author: Matthew Stern, CISO
Matt Stern is the Chief Information Security Officer at Intelligent Waves. He is responsible not only for the Cybersecurity Line of Business, he also provides his subject matter expertise to support a variety of organizations and customers.
Stern is a retired combat veteran serving 22 years in the U.S. Army. His service culminated with the command of 2d Battalion, 1st Information Operations Command, the Army Computer Emergency Response Team (ACERT), and Regional Computer Emergency Response Teams (RCERTs). This was one of the first units in U.S. Army history dedicated to cyberspace operations.
Stern is an established expert on information technology, network security, information operations, and special information operations. He has focused his career on cyberspace operations’ military conduct, including computer network defense, exploitation, and attack.
He has developed his knowledge and expertise through practical experience leading a variety of organizations to include the ACERT, the U.S. military data communication services in Iraq, support to the technical architecture of the U.S. Army’s digitized Armored Corps, and the systems integration for the Land Information Warfare Activity Information Dominance Center. Stern is also a decorated veteran of Operations Desert Shield/Storm and Iraqi Freedom.
About Intelligent Waves LLC
Intelligent Waves LLC is a service-disabled veteran-owned small business (SDVOSB). The business provides enterprise systems engineering, cloud computing and managed services, cyber and security architecture, mobility, operations, and intelligence analytics. For more information, visit www.intelligentwaves.com.