By Marc Packler, President, CISO Advisory, Silent Quadrant
Gartner’s article, “The Top Cybersecurity Predictions for 2021-2022,” contains a quote from philosopher George Santayana: “Those who cannot remember the past are condemned to repeat it.” Reading the article made me ponder whether we, as cybersecurity practitioners, actually do learn enough from our collective cybersecurity past to effectively protect present activities and to anticipate and meet future threats.
Have we really learned from our past? Because protecting the cyber realm is such a broad duty, I would have to say the answer is not yes or no, but it is yes and no. As a society, it appears we’ve embraced or at least acknowledged the ease with which cybercriminals can manipulate enterprise systems, and we’ve generally accepted the risks-to-consequences ratios in both our personal and professional lives. As a result, many people take some measures to protect their personal home networks, but ultimately many just don’t think they will be the victim of a cyber attack. So, I would say that yes—most people have learned that they need to protect themselves in some ways—but I would also say no to whether they generally do enough. Similarly, the overwhelming majority of corporations have run risk analyses regarding the use (or not) of various cybersecurity measures against their cost, and most have chosen to implement at least some protective measures. So, yes, the corporate world has learned that not taking measures to safeguard their networks would likely negatively impact their bottom lines at some point; however, I would again say no to whether they generally do enough or to whether they’re generally using the appropriate tools.
Also, why do we still need to tell a story about cybersecurity to change corporate culture and get serious funding for security? Just walk around your organization, and everyone is on the network. Without it, little work gets done and productivity drops significantly. If this tool is so important, why do we not treat it as such? If Gartner’s data is accurate, lessons are coming slowly to many corporations:
- By 2025 ONLY 40% of boards of directors will have a dedicated cybersecurity committee
- By 2025, ONLY 70% of CEOs will mandate a culture of organizational resilience to combat threats
Another lesson still being taught: Do most corporations know they should be enforcing updates for known security vulnerabilities that have been documented and announced by respective cyber communities to keep us all safe? The answer is yes, but do most of them do enough or do it effectively? That answer is no. Otherwise, consistently updating computers and keeping them current with the latest patches/security fixes across the enterprise would stop 99% of vulnerabilities exploited to date.
Inconsistent system updates greatly expand cyber vulnerabilities and risks. If this is known and understood, then why is it seemingly so difficult to succeed at attaining effective cybersecurity? It’s because many companies don’t effectively cultivate three critical components of their cybersecurity processes: 1) people, 2) culture and 3) technology. We must have people who follow the security processes, a corporate cyber culture that supports its people and the processes, and the technology to implement the processes, when necessary.
If we agree these are three critical components of effective cybersecurity processes, then we must remember that people are trainable; the culture can be fixed with training and leadership from senior management; and technology is constantly adapting with the use of artificial intelligence and machine learning. Strengthening cybersecurity processes through people, culture, and technology costs corporations valuable time and money, so it’s wise to use these three resources in the most practical and beneficial ways possible. This often means that the latest and greatest technologies or programs aren’t actually necessary to achieve effective cybersecurity.
As an example, look at zero trust. It is an architecture and not a technology, but the cybersecurity industry very often wants customers to buy all new equipment to implement zero trust. This ends up helping the bottom lines of the said cybersecurity companies, but are organizations any safer? That is often arguable, but even newer tools have no better chance of succeeding than in the past unless the people using them use them appropriately, born out of a culture that teaches and supports such use.
Aside from malicious actors themselves, if we believe people, or network users, are one of the biggest threats in the cybersecurity realm, an immediate and cost-effective fix is to engender a culture of cybersecurity professionalism in our everyday users. Train the users to not only prioritize necessary updates on their systems but to follow other cyber hygiene measures regarding the use of email, the internet, etc. How much training is sent to the employees? Is it completed, and is it a priority? Do the employees understand the risks associated with not following proper cybersecurity processes? And is the example of being a good cybersecurity steward exemplified from the top down—does it begin at senior levels within the company? This is often the best way for culture to be impacted. A great example of how senior levels can set the example can be taken from Netflix and the implementation of their leave policy, which is to say they have no complex leave policy. As long as people complete their work and don’t leave anyone else in the lurch, employees may take leave when and where they’d like. Employees were initially disbelieving; however, when Reed Hastings, the chairman of Netflix, and the leadership staff posted photos of their respective vacations, it changed the culture quickly because everyone could see the boss was embracing the company’s approach to leave. This leave approach certainly wouldn’t work in all organizations, but that is beside the point. It’s an example of how leaders in an organization can positively influence their employees.
With predictions that threat actors will weaponize operational technology environments to cause human casualties by 2025, and with the influx of over-the-air updatable programmable logic controllers and continued malicious attacks on our SCADA networks, it’s more imperative than ever to learn from and apply the cybersecurity lessons of the past. We are starting to see more broad negative effects of breached or attacked systems on administrative networks today. Not only may companies have to stop operations temporarily, but entire supply chains can be affected, which ultimately can affect the entire country.
As IT and cybersecurity professionals, it’s our duty and challenge to push industry executives to prioritize cybersecurity as a high-interest item in the funding drills corporations exercise yearly. We must motivate them to continue to bake-cybersecurity-in from the initial design and conception phases of budgeting versus tacking it on at the end of the process. To prevent cyber attacks such as those on Sony in 2014 or more recent examples such as Colonial Pipeline or JBS meat processing, we must use all the tools at our disposal and more effectively apply the cybersecurity lessons of the past. This means not only budgeting and applying funds to cybersecurity but also cultivating strong cybersecurity processes via three main components: people, culture and technology. As Gartner pointed out, “99% of vulnerabilities exploited will continue to be ones that teams knew existed.”
About the Author
Marc is the President, CISO Advisory at Silent Quadrant. He is a widely acknowledged subject matter expert and public speaker on matters of digital protection and risk management.
Pioneering, innovative, highly accomplished, and decorated, Marc leverages an immense and diverse skillset – derived over the course of his 25+ year career in the United States Air Force – to positively impact digital security, digital transformation, risk management, and strategic operations within organizations across a vast array of industries.
Achieving the rank of Colonel, Marc’s rich military career included assignments as:
- Commander, Air Force Cyberspace Capabilities Center
- Commander, 375th Communications Group
- Director, Legislative Affairs, United States Cyber Command
- Commander, 2nd Communications Squadron
- Executive Officer, Office of Warfighting Integration
- Congressional Fellow for Senator Ben Nelson (Nebraska)
- Fellow, Center for a New American Security
With digital security at its core, Marc’s experience within both the public and private sectors spans executive leadership, digital transformation, artificial intelligence, machine learning, robotics, governance, and legislative affairs, among many other areas. Marc maintains the prestigious credentials, CompTIA Advanced Security Practitioner (CASP+), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), as well as Project Management Professional (PMP), and Masters’ Degrees in both National Security Strategy and Management Information Systems.
(Source attribution: Silent Quadrant)