Cybersecurity Transformation— Case For Security Research Community
In the last ten years we have seen cybersecurity industry market size as a whole (products, services, environments) making a steady double digit CAGR growth with 2017 being record year at $137 billion and 2021 projected at $231 billion (Ref: Markets&Markets https://www.marketsandmarkets.com/Market-Reports/cyber-security-market-505.html ).
Frequency, severity and publicity of attacks against various systems led to public recognition of the cybersecurity industry as being important which subsequently led to abundance of products, shiny toys, companies, mergers, acquisitions, divestitures… Buzz words were created, Las Vegas events attended, fortunes have been made but damaging attacks persisted and thrived. That might be an understatement as cost of the attacks is actually already over $3 trillion and expected at $6 trillion by 2021 (Ref: Cybersecurity ventures https://cybersecurityventures.com/hackerpocalypse-original-cybercrime-report-2016/) which makes it far more profitable than the global drug trade. Let that sink in for a while: cyber crime is more profitable than the drug trade… This war is being lost mostly because we were reactive and treated security as an afterthought, something that we believed it can be patched with some duct tape and superglue, bolted on top of the problem, most of the time adding unnecessary shiny toys, succumbed to chaotic product roadmaps, but rarely positioning cybersecurity as the proactive and valuable part of every organization, process, culture and infrastructure.
It is time to reverse engineer our mindset to disrupt the process and invite security experts to the table, not when the party’s over and it is time to clean up and take drunken guests to one of the shared economy cars after they insulted another group of guests (finger pointing). Infosec experts earned their right to be there at the time when that table is being designed, built and also decided how and where it will be placed for the upcoming party. Not after the party.
Information security community is there to lead this revolution. These are your ethical hackers, white hats, pen testers, tinkerers, thinkers, gamers, reverse engineers, talented men and women that are not driven by product commission but love for the industry, vulnerability research and constant problem solving. For the last few years I was lucky to meet some incredible people at the events such as B-Sides Tampa, B-Sides Orlando, HackMiami , TampaCC (Tampa Community Connect), BalCCon just to name a few. Many of these cyber experts contribute to community groups and projects like CVE (Common Vulnerabilities and Exposure) or OWASP (Online Web Application Security Project) . Unfortunately, most of the time the majority of the mainstreet companies get in touch or hire within the community when it is time to do penetration testing only to satisfy the compliance check box in case of an audit. Some more advanced and security savvy companies go a few steps further creating incident response teams as well as blue and red teams where security researchers would simulate the closest thing to attack and initiate proper internal response, plus build integrated security into their own agile process, which are correct things to do. These few savvy companies are led by fantastic CISOs and CTOs that are also valuable part of the infosec community and are constantly recruiting from this talented pool and providing resources.
So what is the value of working closely with the infosec community and embedding security talent into every team in the organization? Information security cannot be handled only by a dedicated security team. Every process, every service, every line of code written has to have security as an integral part. We cannot depend on a small team of people to protect a large enterprise or even medium size companies. High level tasks like threat modelling, risk assessment, architectural input, knowledge transfer, penetration testing and monitoring are best suited for dedicated security teams, which will point to security flaws in design and architecture but most importantly educate the rest of the staff and create internal cybersecurity culture. Continuous resiliency will be reached when security becomes everyone’s responsibility.
We will never stop certain companies and individuals from trying to build or sell the idea of silver bullet products for protection: “just press this button and you will be safe….”. We need to keep in mind that security resiliency is no different than our health or immune system where we cannot take one pill or antibiotic to protect ourselves, but we have to do series of daily hygienic steps to ensure our wellbeing: get a good night of sleep, drink plenty of water, wash our hands, eat healthy foods, exercise, reduce stress… Same process applies for cybersecurity posture which starts with good hygiene such as frequent password changes and spans to connected protection, dynamic response to attacks, network monitoring, segmentation, deception, but also embraces predictive vulnerability risk analysis to become an absolute must and fundamental part of every design, solution and organization.
2019 is shaping up to be an incredibly challenging year from economical, societal, geopolitical and all other aspects. At this time when the world is dramatically changing the need to feel protected and safe will grow. Paradoxically, budgets will be slashed while severity and frequency of the attacks will grow exponentially. However, this is a great time to reverse engineer your previous approach and understand what cybersecurity is, how you measure success and reach out to the information security research community; find experts that are not motivated only by commissioned product selling but passionate about problem solving and minimizing your risk.
Happy New Year (let’s hope so)!