Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

In Cybersecurity, is No News Really Good News?

If You’re Truly Being Proactive, There is No Such Thing as “No News” in Cybersecurity…

If You’re Truly Being Proactive, There is No Such Thing as “No News” in Cybersecurity…

It’s funny how old sayings just become a part of our lives. We just seem to repeat them as a matter of habit without really giving any thought as to whether they fit or not. I encountered one of those situations recently when asking a peer in the financial services sector how they were doing with their security program. His response, “I’m not sure, but no news is good news.” I wish I had thought of it at the time, but the reality of what he had said didn’t really hit me until later. No, a lack of information or news is about the worst possible scenario when it comes to cybersecurity.

Ignorance in CybersecurityThe fact that you aren’t seeing or hearing about potential threats to the organization, or alarms aren’t being raised by the security team, shouldn’t make you feel better as an executive. It should make you wonder if you aren’t doing enough, or even potentially doing something wrong. Millions of attacks take place every day against every type of organization in every market. The idea that you are somehow that lucky corporation that is shielded against sophisticated cyber-attacks is not only misguided and unlikely, but also dangerous.

Just as a couple examples to show the number of attacks that take place every, day, week and year against corporations and government agencies I pulled some statistics from According to their research:

• The Pentagon reports getting 10 million cyber break-in attempts per day.

• Energy Company BP says it suffers 50,000 attempts at cyber intrusion each day.

• The government of the United Kingdom reports 120,000 cyber incidents per day.

While these figures are startling, remember that these include the crude, unsophisticated attempts which are easily, and in some cases automatically thwarted, to the more elaborate attacks.  Even if the vast majority are easily stopped these still demonstrate huge amounts of traffic and activity.

According to statistics from the Government Accountability Office, in 2007 — the year that Twitter was founded by the way — US-CERT received almost 12,000 cyber incident reports. That number had more than doubled by 2009, and quadrupled by 2012. Attacks are only increasing and becoming more sophisticated and not decreasing. No matter what business, location or area of government you work in, you are going to get hit in some capacity. Any thoughts to the contrary are an illusion that may lead you to trouble. 

Leadership teams in organization also often find themselves clinging to another old saying: ignorance is bliss. It perpetuates the notion that that if I’m not aware of it, I don’t need to address it and won’t be held accountable for it. Well as we’ve seen with recent high-profile breaches over the past several years, that standard no longer applies. Not only are corporate executives being dragged before Congress and being made to explain lapses in security, they are facing actual jail time if it can be proven that they were negligent. There is also the intense scrutiny from boards and stockholders as to why the brand is undergoing damage to its reputation and thus negatively affecting share price. A report published by the Center for Strategic and International Studies (CSIS) and commissioned by McAfee sets the current annual costs of cyber events at close to $300 billion.

Implementing an effective program requires constant vigilance and oversight. The idea of plugging in a product and “checking the box” simply doesn’t work anymore. Despite repeated examples and warnings the majority of breaches continue to happen as a result of unpatched applications and programs. Data plays a critical role in security as it allows you to make decisions based upon probabilities and insight. Anticipating where you may be most vulnerable and where an attacker would most likely try and gain entry is the first step in beating back the attack.

I had an old college professor once tell me that hope is not a plan. As I’ve continued my career in security those words have always stuck with me, as I believe it’s a perfect metaphor for ensuring success. Organizations that take an active role in their security and are proactive in determining points of vulnerability and interest are far more likely to avoid a security event than companies that simply install software and hope that it does the trick.

Perhaps we can get behind a new saying that is more applicable to security? If you’re truly being proactive, there is no such thing as no news in cybersecurity.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.