Just this past week, a recent study hit the news that concluded – as many studies have before it – that the Transportation Security Administration (TSA) is fundamentally not effective at making air travel more secure in a post-9/11 world.
One of the major failures? Their periodic screening process.
It seems that, for a variety of reasons, their methods are not only causing the ineffectiveness, but themselves are a source of additional security risk above and beyond the threats they’re trying to stop.
As I engage with customers around industry, I see the same kind of approach being duplicated in cybersecurity too and it’s having the same kind of effect on companies trying to get safer.
For a long time now, it’s been a widely accepted “check the box” cybersecurity practice to engage in periodic cyber risk assessments designed to give management assurances that their cyber defenses are adequate or not.
The central issue is that any cybersecurity process that relies heavily on periodic risk assessments as an indicator of its security status is not only giving the company a false sense of how safe they are, but it’s reflecting energy and resources away from discovering, mitigating and/or preparing for real active and immediate cyber threats.
Let’s take a look at just a couple of the areas of concern.
Polaroid Security
A friend of mine recently told me about an experience she had with an online dating site. She’d been corresponding for about a month with a guy she had really come to like. Plus, from his picture, she really felt like he was her type; rugged, handsome and dark-haired.
When they met in-person, let’s just say things had changed. He was at least 15 years older than his photo, his hair was now white, had gained about 40 pounds and started smoking.
When it comes to cybersecurity, many companies that engage in periodic or annual risk assessments and feel comfortable with the picture that comes out of it are also flirting with disappointment – and maybe even disaster.
The cyber threat landscape changes almost hour to hour. Certainly every week, new threats arise and old ones change. They have new targets and achieve new ends to their means.
For the companies themselves, risk is also “alive” and dynamic. There are new products, new websites, customer portals, new locations and of course new technologies being used all the time.
And that’s where the problems with risk assessments start.
The risk assessment is just a snapshot in time. Companies often pay lots of money to have their internal risk management teams, managed service providers, expert consultants and security vendors assess and report on their cyber risk at point in time. Typically, this occurs annually.
But that picture changes almost as soon as it’s read. In fact, because many of these assessments take months to perform, the risks they call out (or not) have often changed by the time the assessment is delivered.
Thus, when the report is finally analyzed and assessed, the company goes off from there making dangerous assumptions and having their alertness to possible new threats lowered by the sense that they have a good grasp of their risk profile.
The Cocktail Party Effect
Have you ever been talking to a couple of people only to tune them out when you hear something of interest being said by someone involved in a totally separate conversation happening near you in the same room? Of course you have. In fact, we all have.
Back in the 1950s, researchers began to identify something known as “The Cocktail Party Effect.” Put simply, it’s our brain’s ability to filter out one set of signals to focus on a single signal that grabs our attention.
In the cyber world, this phenomena leads to a big problem when it comes to risk assessments.
Beyond a false sense of security, often companies will use these reports to set cyber defense strategy in motion for security operations, hardware and software acquisitions, legal counsel and more. A kind of throwing good money after bad such that there are real long-term negative effects from just one single risk assessment.
It seems that the risk assessment itself is kind of like hearing your own name spoken at a noisy cocktail party; it uses our tendency toward selective attention in some situations to tune out other voices and hear only what’s being said about you in that other conversation.
So what’s the alternative? A program of “living” cyber threat intelligence across tactical and strategic levels. In other words, the analysis that comes from actively and continuously monitoring your cyber risk profile across all parts of your business operations versus the specific threats out there that match it.
Back in 2010, Marijn Ornstein, frustrated security boss of Amsterdam’s Schiphol Airport, said:
“If you look at all the recent terrorist incidents, the bombs were detected because of human intelligence not because of screening … If even a fraction of what is spent on screening was invested in the intelligence services we would take a real step toward making air travel safer“
Just as with the TSA and air travel, there’s ample evidence and support in the cyber domain for the use of intelligence approaches, but the industry and our governments are currently too slow in learning the lesson.
Meanwhile, businesses line up for screening, just as they’ve been doing, while the criminals continue to go around and get through undetected.