My Cyber Diary: Key Observations from the Last Few Years in the Cybersecurity Marketplace
Cybersecurity issues have become front page news virtually every week – breaches, fraud, theft and a whole host of other cyber crime events read like the police blotter from a large metropolitan city where criminals run rampant.
At the same time, regular reporting on increased cyber defense spending, more info-sharing and collaboration, new technical solutions, businesses getting serious about cybersecurity, governments legislating cyber safety through governance and regulation, and a flurry of other recent activities designed to keep us all safer have also made their way to the front of our everyday news.
It would seem to be something of a contradiction. Each week, new stories of cyber woe. Each week new reports of improved diligence in the fight.
This contradiction brings on the kind of cognitive dissonance that won’t go away until you’re able to fully analyze what’s happening between what’s being done to combat cybercrime and what we’re all seeing each week in the news. What it comes down to is that sooner or later, we’re all victims of cybercrime and it seems obvious that what we’re doing now isn’t working perfectly.
Having spent the bulk of my career working in and around cybersecurity and intelligence domains, I realized recently that I’d never really looked at the problem from the perspective of businesses that are the chief consumers of cybersecurity solutions.
So, with a few years of fresh data on hand collected from meeting each week with companies and their cyber teams to exchange info and talk about security functions inside their businesses, I set out to comb through the info I’ve collected in an attempt to at least shed some light on the dilemma.
What follows below are just a few observations gleaned from my experiences that, for me at least, help lay the foundation for an explanation or two – and maybe a way for us to help ourselves. Be warned, though! Not all of it is particularly pretty. But, then again, neither is the cyber problem itself.
The challenge is huge, but so is the opportunity to adapt and evolve.
Cybersecurity operations are consistently (and highly) immature across all industry sectors
Through my meetings each week, a picture of cybersecurity in business has come sharply into focus. Outside of the largest financial companies (they have other issues, so read on), the predominant majority of businesses I encounter:
• Have inadequate cybersecurity teams and/or small “many-hatted” staffs that are “wrongly” shaped and sized
• Rely on highly manual day-to-day processes, triage and prioritization
• Use little or superficial threat and risk intelligence techniques
• Practice a technical, “tactical first” operational posture with little or no strategic functions
• Depend on setting up “check-the-box” defense approaches such as “Defense in Depth”
• Skew budgets toward “security blanket” cyber defense acquisition
• Overly prioritize OOTB endpoint, Anti-Virus/Anti-Malware, IDS/IPS and firewall technologies
• Organize via stove-piped teams with high duplication of effort and little intercommunication, coordination
• Blindly trust managed security outsourcing and consulting services
• Focus on low-level, high-volume “navel gazing” data analysis
• Allow for personality-driven security leadership with few checks and balances
• Get caught up in engineering process and procedure over practicality
• Averse to starting over, admitting failure or adopting the continuous improvement functions required to do so
• Are slow decision-makers vs. informed and expedient trigger-pullers
• Act conservatively and out of fear as opposed to confidently unconventionally
• Disconnect security operations from business operations
• Are unaware of the exact depth and breadth of their specific cyber risks
• Believe “it won’t be me” and “it’s not really that big of a problem”
Likely the single biggest incorrect assumption out there is that, because cyber is such a pervasive problem, surely every businesses and organization is as highly and effectively organized around cyber as is possible.
Unfortunately, that simply isn’t the case.
In most cases, for even the largest, most successful businesses, there’s a cyber defense function that is veritably infantile against the maturity of the cyber threat they face – no matter how much they spend on it. Things are not advancing as fast and as consistently as they should and stunted growth is costing us all.
Large “cyber mature” businesses aren’t necessarily safer – and may be inadvertently hurting the rest of us.
For the most part, the phrase “cyber mature” pretty much equals bigger spending on cyber defense tools, personnel and controls. In general, the larger the business, the better the spending on cybersecurity. As well, the more a large company’s customer base is directly related to their chief revenue stream, the more cybersecurity operations are formalized as part of the bigger business operations.
Enter, for example, financial services, retail and healthcare.
You’d think the largest companies in these sectors would be very effective at cyber defense and cybersecurity in general. For certain, in proportion, they are well-resourced, have big budgets and all the coolest tools across the entire spectrum of solutions.
But are they necessarily any safer from cyber threats?
The info I collect each week leads me to believe they may be just as bad off (if not worse) than other smaller companies in their own sectors and across industry. That’s because these companies – in addition to all the things from the above section – tend to be:
• Less agile – Bigger surface areas with more moving parts always equals slower
• Less communicative – Complex organizational structures create high impedance inhibiting effective transmission of valuable information
• Disorganized – It may look like the picture of industrial organization on paper but even traditional domains like sales and customer support are stressed at this scale
• Bureaucratic – Big systems breed big inefficiencies especially as it comes to decision-making and innovation
• Overly conservative – Protracted evaluation and acquisition cycles with a narrow focus on “conventional wisdom” practices stifles new solutions
• Over confident – Having a full armory leads to a false sense of security, less alertness
• Strategically handicapped – Even the most successful of these largest firms doesn’t really manage cybersecurity the same way as sales, marketing or HR
What’s more, as the major buyers of cybersecurity solutions, these one percenters may also be skewing the IT industry toward product development designed to sell to the ways they buy. Thus, lower priced, reduced scale and right-sized solutions are not nearly as plentiful nor committed to by the marketplace. Marketing, pricing, features, licensing, implementation, consulting and more are all dogs wagged by so many big tails. It’s not intentional or malicious, but it’s naturally what happens in a market driving value to the “haves” rather than the pandemically affected “have nots.”
This all also has a trickle-down effect not just in how smaller businesses buy things, but down to their security engineering and operations levels too. Smaller businesses look upstream in their supply chains to their “big brothers” as a way to model what to do about cyber threats.
What the big guys do, others mirror in their own approaches.
Midsize and larger small businesses are proving better able to adapt and evolve
The aforementioned cybersecurity immaturities notwithstanding, it’s a virtual fact in my observation that Midsize businesses and the larger small ones seem to be more equipped to fight the cyber battle the right way. They’re more agile, make quicker decisions, are more innovative and tend to be more focused on budget-driven right-sizing of solutions to get just the bang for the buck in ways that can be used efficiently by available staff.
These businesses also seem to be adopting and making the best use of both practical “common sense” diligence and newly emerging cybersecurity approaches.
Because smaller companies tend to prioritize and focus more on the fundamentals, they seem to be showing they can keep better pace with the ever-changing landscape. It’s also something that’s counterbalanced and complemented by their speed of adopting new approaches.
Take for example cyber intelligence.
Having the right awareness at the right time – on both high and low levels – and being able to act on it with immediacy is something that’s beginning to pay real dividends in this realm. Because their cyber operations tend to be smaller, more focused on their specific risks and their communications a lot less impeded, a little good intelligence goes a long way toward supporting direct tactical action – and it’s fast.
These are just a few observations gleaned from the data diary I’ve collected working with companies over the past few years. Right now, it’s all telling me we seem to be at a watershed moment in both the cybersecurity market and with our business cyber defense circumstances. Across the board, processes, people and technologies need to be continually reexamined and analyzed for what they can tell us about being better positioned each day against a foe that certainly does so themselves. Sometimes, even simple tools like a diary can yield valuable insights.