The cybersecurity industry has long been failing, and to reverse course, a better understanding of the root causes of that failure is needed.
Those causes were the focus of the session, “Failure by Design: 5 Epic Fails of the Cyber Security Industry,” with presenter Richard Hollis, at last month’s virtual ISACA Conference Europe.
Hollis, director of Risk Crew and a longtime cyber risk professional, cited statistics from a 2019 Global Breach Level Index Report that showed more than 18 million records are compromised every day and more than 770,000 records are compromised every hour. Hollis said statistics like that have made him “grumpy.”
“When recently I’ve taken a look back at my career and my profession and my industry, quite frankly, I don’t like where it’s been, I don’t like where we are, and I certainly don’t like where we’re going,” Hollis said.
That doesn’t mean there is no hope for a better future, with broader understanding of how we’ve reached this point. So, what are the root causes? Hollis identified five major fails in the industry:
Product vendors
Hollis said product vendors are generally a step behind, meaning that threat actors are the ones who set the pace on the threat landscape. “They do not meet the challenges presented by our adversaries,” Hollis said of product vendors. “They never have. That’s a fact. They have always been reactive when they should be proactive.”
Hollis noted that many computer security vendors profit from the insecurity of computer systems, making him skeptical that the underlying causes of breaches receive the proper emphasis. He said that threats to technology tend to command disproportionate attention over people and processes, meaning investment is often skewed too heavily to product. Hollis said there should be more investment in areas such as employee awareness training, incident response and business continuity.
Internet service providers
Internet service providers (ISPs) “open the door to this crazy nightclub we call the internet,” Hollis quipped. He said ISPs should enforce minimum security controls such as blocking bad sites, stopping malware and reporting crime.
“Just think of how different the internet could be if suddenly ISPs did a little housecleaning, but they don’t,” Hollis said. “Why don’t they stop botnets or denial of service attacks that traverse the very networks that they provide us? … It’s cash, that’s why. They sell the bandwidth that the botnets and the denial of service attacks and the malware consume.”
Without accountability from ISPs, the barrage of cyberattacks will continue, Hollis said.
Managed service providers
Managed service provider processes also have failed, Hollis said. He said security monitoring and reporting services are often not scoped to business requirements.
In addition, Hollis said the services are unclear about defining management responsibility. Instead, they tend to generate large amounts of false positives and produce alerts without context. That results in alert fatigue and alerts that oftentimes are ignored.
“These things are like smoke detectors with weak batteries,” Hollis said.
Business shortcomings
Given that organizations have had three decades to get cybersecurity right, Hollis said it’s puzzling why enterprises still are not making sufficient business cases for cybersecurity or identifying sensible KPIs for their security programs. “Businesses’ failure to measure has resulted in their failure to protect,” he said.
Hollis said businesses also fall short in aligning security to their strategy, so IT teams wind up bearing too much of the security burden.
In the bigger picture, Hollis said businesses have not owned up to a moral imperative to safeguard sensitive data entrusted to them by employees and customers. “I think we fail miserably there,” Hollis said “We see data as 1s and 0s and not information about people’s lives. Businesses have still not gotten that right, 30 years down the road.”
You
“You. Me. Us, together, we have failed,” Hollis said toward the end of the session. “In fact, I’d go so far as to say we are the underlying cause for all of our failures in our industry that I’ve been talking about.”
Hollis elaborated, saying security professionals have not demanded the same level of quality in the security realm as they do in routine aspects of their personal lives, such as going out to a restaurant. Expectations have to be raised across the industry, Hollis said, and reflected in contracts and new ways of doing business.
He concluded by saying that if consumers and practitioners expect and demand more, “maybe, just maybe, you’ll get it.”