Everyone with a Computer is a Target

What you do, where you’re at, how technical or ‘sophisticated’ you are means nothing to malicious actors these days. Those might have been conditions they considered in the past – and convenient justification for your not investing in cybersecurity – but thanks to ransomware and cryptojacking, those days are long gone. Illicit though it may be, cybercrime is a big business, with big revenues and that money comes from victims large and small. Why is being bad so good for the pocketbook? In part because we make it easy for the bad guys. Until we treat these issues as common, everyday business issues, it will never have the prominence or receive the attention we (as practitioners) think it should. As long as these issues are treated as special cases and addressed only rarely, there is no hope for progress. To take a line from Peter Drucker: what gets measured gets done.

 

The Price of Doing Business?

Last period it was $5B levied against Facebook. This period it’s $700M against Equifax and the news that the cost of the attack against Norsk Hydro cost the company $75M. Big fines or financial impacts for big lessons learned, right? Well if you’re Equifax making over $3B in revenue a year, the lessons they (and Facebook, and every other major corporation similarly punished) is that poor security is only expensive if you (publicly) get caught short. As long as the costs of such shortcomings impacts the company directly, and cannot be passed on to customers, there is no incentive to change apace with the threat. Don’t believe me? If the Capital One breach goes down any differently, I’ll buy you a pint.

 

Cybersecurity is Hard

When NSA cyber “weapons” were lost to the ether it was big news, and rightfully so. Yet we learned recently that the nation’s premiere cybersecurity organization still doesn’t have it’s **** together. Now we learn that a contractor for the FSB has been breached, raising the question: Is anyone getting this stuff right? Even the police come up short sometimes, so what hope the ordinary citizen? If 25% of breaches are the result of human error, it is probably time for us to stop thinking that technology is the solution to our defensive problems. 

 

Cybersecurity is Easy?

“Patch!” they all say. “Update your OS,” everyone screams. “Stop using old, vulnerable equipment and code,” they preach. Mantras all repeated by and large by those who’ve never had to actually run an IT infrastructure larger than their home lab, and never had to deal with a user beyond themselves. Especially when it comes to government organizations, which can’t turn on a dime and often don’t have sufficient dimes to spend all of the aforementioned might be good advice, but if you can’t accept it, what’s a CISO to do?

 

Convenience (and Speed) Over Security. Every. Time.

Google has paid out $5M to vulnerability researchers through it’s bug bounty program. They’re significantly upping the ante going forward. People think this is a good thing, and to an extent their right. This is economics at work, but maybe not in the way you were thinking. $5M is the price to find holes in highly functional code. We have no numbers on what it costs to fix that code. But what this all tells us in a round-about way is that it must cost significantly more to write functional AND secure code. 

 

The Best Don’t Go On Overhead

You cannot complain about – or more accurately promote solutions for – the supply chain if you yourself are not willing to up your game. Contractors are the first to tout their expertise to the government, and the first to whinge on about how improving their own security is going to have a negative impact on the bottom line. That contractors get hacked at least as often as the government is all you need to know about how they allocate talent themselves: the best are on-site, they don’t go on overhead.

 

Enough with the Air Quotes

My first promotion board in the Army consisted of five men who, collectively, had spent 3 years in various stockades. All but one of them had earned their rank twice (busted down and climbed back up). In a zero-defect world that seems anachronistic, which is probably why so many media outlets are putting quotes around the word “hero” when they mention the sentencing of Marcus Hutchins, the former hacker who stopped the WannaCry ransomware attack in 2017. Yes, Hutchins was guilty of making malware back in the day. Because, you know, we’ve all lead saintly lives ourselves, and the hat of every cybersecurity expert we admire today was always lily white. 

 

The Importance of (Real) Intelligence

I wrote in another outlet about the importance of ensuring that you buy actual intelligence, if that’s what you need (e.g. ‘feeds’ are not intelligence). In this age of abundance when it comes to cybersecurity data, intelligence is more important than ever. If nothing else, it helps you make the decisions that need to be made in order for you to advance the cause. In this field we cannot afford decision-fatigue. 

 

The War for Cyber Talent…Has Multiple Fronts

There is a talent shortage in the sense that open positions are going unfilled. But when you understand that most organizations are not exploiting at all the potential ways in which they could fill positions, it’s easy to understand why arguing that retention is paramount is so seductive. The fact of the matter is that no one with the requisite skills is going to stay somewhere that sucks, and as long as you’re not filling positions, even the best gig will eventually suck. If you went to Carnegie-Mellon or MIT and keep struggling to hire people like you, start looking at people not like you. Talent abounds once you take your blinders off. Your shortage is almost certainly a self-inflicted wound.