Cybersecurity
The potential for cybersecurity spending is limitless.
The potential for #cybersecurity spending is limitless.
There’s literally no end to the time, effort and money you could spend on adding more checks and controls to make things more ‘secure’ ad infinitum.
The result is extreme cybersecurity ideologies, ‘secure everything just in case’.
And if you’re responsible, and accountable, for running a cybersecurity programme there are no incentives to not keep demanding for more.
Because if you’re a security extremist, and you still get hacked, at least you can say you did everything in your power to make things more ‘secure’.
It takes real guts and courage to be a cybersecurity non-extremist and advocate for an informed risk approach.
'Secure everything just in case' is unsustainable.
Companies must respond urgently, but also seek to reduce risk smartly, in a world of limited resources. And quite rightly the question of “what is to be done?” is being asked by the executive and Board.
The biggest problem is not spending more money and deploying more controls but rather deciding how to spend the limited time and resources.
The true task of the cybersecurity leader is to pick what to do based on an informed sense of which tasks lead to a better future. There will always be too much to do. There will always be a top-down demand for perfection.
The alternative is to try and ‘secure everything just in case.’ The result is rampant spending on additional controls and oversight that then demands even more resourcing and with no clear end in sight.
This unsustainable growth of cybersecurity creates a paralysing implementation gridlock. the few teams, often technical and already highly utilised are further put upon with implementing the new controls and become overloaded with too many competing demands. This is simply unsustainable.
“Security” wobbles drunkenly
Quite possibly the best ‘security’ rant I’ve seen:
“Of the innumerable things I detest about information technology, first prize goes to the word “security.” Not the concepts behind it, the actual word. The definition of “security” wobbles drunkenly all about the dictionary depending on who’s speaking, who’s listening, the context, and the distance to the nearest brute squad. It’s a transcendental state where everyone is perfectly safe from everyone, but it’s not inconvenient or intimidating or incomprehensible in the slightest. Security is Happy Fun Land, where everybody eats hot fudge sundaes all day every day without developing diabetes or gaining so much as a gram. The only way to make this word even slightly meaningful is to tightly define the context.”
Michael Lucas I salute you 🖖
Risk is a necessary consequence of dependency.
Or if you’re part of contemporary society then opting out is hardly an option.
It seems impossible to live our contemporary lives without having a dependence on the Internet. All aspects of how we now live have a digital element either directly or indirectly. What I mean is that services we rely upon rely upon the Internet, a kind of virtual network of reliance and dependence. Our daily lives, whether you like it or not, are dependent on the smooth operation of electricity, networks, computers, good clocks and industrial cyber-physical controls. Very few of us can truly opt ourselves out of those things, our dependence, especially our expectation of stable, reliable operation, brings us risk.
#cybersecurity #risk #reliance #dependence
Is the drunken orgy of cyber security over?
Being ‘secure’ is popularly comprehended as a better state than being ‘insecure’. This is unsurprising; in the cyber security domain, being secure and doing things securely is considered so obvious as to not even need explicit reference. Many practitioners would argue that more ‘secure’ is the the goal and the entire point of their exercise.
Yet despite the wisdom of the community, what is precisely meant by this is rarely, if ever, defined. This creates an obvious indisputable problem - if more cyber security is so important it then stands to reason that the measurement too would have to be of utmost importance too. And for effective measurement to take place it would require a clear definition to at all be possible.
This is a conundrum that’s worth thinking about. Because if you are responsible for improving cyber security whether you have will be a matter of some dispute.
So WTF is cyber security?
There is no universally agreed-upon definition of the term that can be relied upon to give a clear verdict.
There is the common view that cyber security is about being in a ‘better’ state and creating an ‘advantage’. But it doesn’t take much analysis to realise that this then opens up another set of questions. ‘Better’ and ‘advantage’ as defined by what terms? To whom? When? And how?
The idea of the baseline against which a superior advantage exists provides further obstacles. Should you measure against third party expectations, a narrow set of your similar competitors, the same vertical or industry as a whole, or perhaps even the entire community.
Then, there is the problem of time. Does having better cyber security mean winning the ‘game’ at a single point in time? Or does it mean continually adding more people, processes and tools to maintain an advantageous position in relation to the changing dynamics of your vulnerabilities and threats? Where does this end? This is not sustainable.
Others argue that cyber security happens when the activities reduce risk (yep, your guess is as good as mine). Said risk reduction is considered sustained when it is in the context of changing vulnerabilities and threats relevant to your context. This line of reasoning is even more difficult to take seriously; it relies on an assumption that whoever is edictally deciding whether the risk reduction has happened and is sustained would be able to look into the inner workings of their context and have perfect knowledge.
And so it goes on…..
The bigger point is that cyber security, on one hand, is a key to a reliable, predictable, assured and trustworthy (yep, I don’t know either) business operations and that this is something that a company can create and manage. On the other hand, successful cyber security is only visible in retrospect, thus tantamount to success itself, and by nature temporal. However, this is entirely circular logic.
So, where does this leave the Chief Information Security Officer?
Well, whether better cyber security did create an advantage or not is impossible to say, given that there is no consensus on what the term means. So, perhaps any CISO looking to help themselves, and their employer, should start by defining precisely what it entails, how it will be measured and why it matters in relation to their specific context. Clarity is key. Whether any supposed expert agrees with the definition is irrelevant as long as it works for you in your context.
JOB OPPORTUNITY - WORK FOR CERT NZ
The nice people at @CERTNZ are recruiting.
JOB OPPORTUNITY - WORK FOR CERT NZ: We’re on the lookout for a Senior Engagement and Comms Advisor to oversee a project to translate cyber security information into different languages. If that sounds like you, see full details here: <careers.mbie.govt.nz/jobs/MBIE…>
(N.B. I’m just paying this forward for further visibility & reach. I have no relationship with CertNZ apart from I love New Zealand 🥰 🥝).
The Young Fall for Scams More Than Seniors Do. Time for a Warning.
For years now, the Better Business Bureau’s survey research has shown that younger adults lose money to swindlers much more often than the older people you may think of as the stereotypical victims…If you’re a digital native and consider yourself immune to all scams, the thieves have you right where they want you.
Encrypted Client Hello: the future of ESNI
I’d encourage anyone using the Firefox v89 browser to further enhance their privacy by enabling Encrypted Client Hello (ECH) in about.config, Further details and how-to are availble in Mozilla’s recent blog post <blog.mozilla.org/security/…>