There’s More to Cyber Security Than Expensive New Technology; Analysts Know That, But They Focus on Tech Anyhow
To my mind, the main problem with the analyst community is that it assumes that technology is the ultimate weapon for waging a winning war against cyber crime and that choosing the right technology solution will result in a swift victory over your adversaries.
That is a false assumption. Technology alone is not a formula for salvation. By itself, technology only leads us deeper into what the ancient philosophers called the Valley of Tears. Let’s not go there.
We need to ask several questions: Do analysts and their employers add or subtract value from the cyber security conversation? If they do indeed add value, is that value erased or outweighed by the damage they do?
I have tremendous respect for analysts who painstakingly evaluate new software and solutions for cyber security. But even the best analysts are part of an overarching vendor ecosystem that, rightfully or wrongfully, focuses the major part of its energy on making sales and earning profits.
The cyber security vendor ecosystem reinforces a “build it and they will come” mentality that creates a dangerous illusion that all cyber security products and services have some degree of utility and that they can be classified into a hierarchy according to the potential value they offer to users.
But that’s not the case. Most of the cool new cyber security tech has niche appeal, at best. Each product has a limited number of use cases, and I would argue strenuously against the notion that any one vendor can develop a practical “one size fits all” enterprise-grade solution.
Moreover, the continual back-and-forth over which solutions are good, better and best merely entrenches the essential fallacy that cyber crime can be overcome by technology. Cyber crime is a form of crime and crime is a social disease. We haven’t found a cure for the common cold, and we’re not likely to find a cure for cyber crime.
This much is certain: If a cure for cyber crime is discovered, it will be a combination of technical and behavioral remedies. Cyber crime is a complex phenomenon. It mutates and evolves. It will prove resistant to solutions that rely entirely or predominately on technology.
I applaud Larry Ellison’s commitment to developing self-protective and self-healing database technologies based on AI. I hope they work and I hope they prove useful to the companies that purchase them.
But artificial intelligence, machine learning, deep learning and reinforcement learning are all parts of the technology echo chamber. We will not win a decisive victory over cyber crime by merely developing and deploying bigger, better and faster technology solutions.
You think the bad guys haven’t heard about AI and ML? They’re just as smart as the good guys, and in some instances, they’re more highly motivated.
Modern cyber security strategy is essentially a defensive strategy. It’s always harder to defend than it is to attack, which means the good guys stand guard while the bad guys poke around and look for vulnerabilities.
Defense-in-depth is pretty much just what it sounds like: layers of controls. It’s neither sexy nor particularly innovative. On the other hand, it’s expensive, which is great for vendors and not so great for their customers.
If the vendors had their way, you would build a castle to protect your data. Then you would build another castle inside the first castle. And then you would build another castle inside that one. And by the way, each castle would have a moat with its own crocodiles.
The cost of defensive cyber security raises another issue. How much should you spend on cyber security? The rule-of-thumb is that you should never spend more than the value of the asset you’re protecting. But who sets the value of the asset?
Not the CIO or the CISO. Top executives such as the COO, CFO and CEO are responsible for determining the value of corporate assets. The decision to spend or not to spend is their decision; under no circumstances should that decision be delegated to the CIO or CISO.
But the cyber security vendor community targets their marketing efforts at CIOs and CISOs. Their sales teams meet regularly with CIOs and CISOs. They do not aim their marketing messages at CEOs, CFOs and COOs, who are far too busy to get that far down in the weeds.
The executives who actually know the value of the corporate assets behind those intricate layers of defensive shields are not the executives making decisions about how much money to spend on cyber defense. That’s a problem.
The cyber security vendors want the conversation to stay focused on technology, because that’s what they sell. But the real issues here are risk management and asset valuation. My beef with the analysts is that they rarely address those issues; instead, they get down in the weeds with the vendors and talk mostly about the cool new tech.
As a writer and speaker, I understand that urge perfectly. I’d much rather write and speak about technology than about risk management. But nobody relies on me to help them make choices about which incredibly expensive cyber security solutions to buy. And that’s fine.
What’s not fine is when the analysts passively adopt the mantra of the cyber security vendors, which is that technology is good and more technology is even better.
Here are four recommendations for leveling the cyber playing field that don’t require in investing in new tech:
1. Focus on core risks and don’t buy anything you don’t need. For example, if you’re a B2B software company and your main risk is having your IP stolen, then you probably don’t need email spoofing. On the other hand, if you’re selling consumer goods, you probably don’t need lots of fancy data encryption. What you don’t have can’t be broken, stolen or used against you.
2. Create physical separation between threats and assets. Examples of separation include closing ports to servers on the firewall, having your SSL and SSH terminated before the server asset and disabling connections between your office PCs on the network layer.
3. Study the enemy. Greg Fell and I created a handy taxonomy of malevolent actors in our O’Reilly Report, Who Are the Bad Guys and What Do They Want? Download the free report, update the taxonomy and use it a guide for identifying the people and players most likely to attack your cyber assets.
4. Educate, train and pester. You need to be sending regular companywide emails reminding everyone not to click on any link that seems even remotely suspicious. Phishing remains a humongous problem; feel free to remind people early and often not to click on links without looking at them carefully first. And that includes links sent to you via Facebook, Twitter, LinkedIn, Instagram, or whatever.
Please note that none of those four recommendations involves buying expensive software or hardware. To a large degree, the success of your cyber security efforts will depend on your ability to outthink your opponents. The analysts might tell you that, or they might not.
Mike Barlow writes about cyber security, big data, AI/ML, smart cities and DevOps for O’Reilly Media and other publishers. He is the co-author with Greg Fell of Not All Data is Created Equal, Patrolling the Dark Net and Who Are the Bad Guys and What Do They Want? For more information, please visit Mike’s author page at O’Reilly Media.
Thanks for reading this story! If you enjoyed it, please hit that applause button just below. Would mean a lot to me and it helps other people see the story.
This story is published in The Startup, Medium’s largest entrepreneurship publication followed by 289,682+ people.
Subscribe to receive our top stories here.
