Cybersecurity sure seems like it’s harder than it ought to be. Why is that? Next time you feel like berating your local ISO or System Administrator, maybe think about these things instead:
– Cybersecurity is asymmetrical. To play defense, you have to protect every user device and every network component, everywhere, all the time, no matter what functions they are performing. A hacker only needs to exploit a single vulnerability.
– Cybersecurity has to deal with conflicting priorities. Attackers are completely focused on getting into your systems. Information security folks have to balance defense against the always higher priority of usability and various competing demands such as privacy and budget.
– Complexity. Computer technology continues to change exponentially fast, and the complexity increases at least that quickly. Cybersecurity professionals have to keep up with all of it since anything can provide the critical vulnerability; a hacker only needs to find a single exploit.
– Limited metrics for Return on Investment. Nobody is willing to stand up and tell you what percentage safer you will be by spending your next incremental cybersecurity dollar. And there are plenty of stories about organizations like the Federal Government and big financial institutions who spend very large amounts and still get hacked. When it comes time for budget justifications, this makes for a very hard sell.
– Lack of control. Well you’re the one who wanted mobility and BYOD, aren’t you? Not that the cybersecurity model of strong centralized control really worked that well, but geez, now there’s no pretense that someone is in control.
– Users. Information systems would be SOOO much safer if it weren’t for all those pesky users. A large majority of all cyberattacks involve direct attacks on individual users through phishing, social engineering and other techniques. Get with it people!
– Self-sustaining ecosystem. OK, this one is both cynical and a conspiracy theory, but still…who wins under the current failed system of cybersecurity? Well, software producers continue to be able to ship products after only limited amounts of expensive and time-consuming testing and Q/A processes to reduce errors. [Interesting aside: vehicles are now bringing together the “zero defects” mentality of the manufacturers with the “let the users find (and fix) the bugs” mentality of software…wonder who will win the day?] Purveyors of cybersecurity solutions have a robust and growing business base. The criminal hacker community continues to operate a multi-billion dollar enterprise. Companies that rely on collecting your data can buy cyber insurance to limit their exposure, making it simply a cost of doing business. Hard to imagine how many jobs would be lost if somebody waved a magic wand and suddenly all the vulnerabilities disappeared.
Cybersecurity is indeed hard. For it to be even reasonably effective takes lots of people across many industries doing smart things to reduce the risk. So if you get a chance, say thank you to your ISO or system administrator…I’m sure they’d appreciate it.