Cybersecurity as a field is only 20 years old. With that, it’s not surprising that the current state of maturity is not where we, as professionals, expect it to be.
However, we have lost our way over time. Partially due to complexity, partially due to the rapid changing of threats, but also partially due to our shiny toy attitude. I don’t fault us for the shiny toy mentality. The vendors and money that attracted investors to our field created this mindset. We just allowed it. Add to it the lack of respect we have historically had in organizations. When I say lack of respect I mean, lack of budget, lack of resources and lack of a general seat at the table with those that should be our peers in the business.
Honestly, its not all doom and gloom. We have gotten some things right. That is shown by the mere number of organizations that now have a cybersecurity program then add in how the base salaries in our field have gone up every year. On top of that, there are now many CISOs with a seat at the table. They speak to the board and they have resources and budgets allowing them to accomplish long term goals.
However, in all the fuss we forgot where we came from and what basic things we had to be good at early on before all of the innovative tools and shiny toys rushed into our industry in an effort to automate and make us more efficient. Its similar to playing Pop Warner football. As a youth you are taught how to tackle. If you made the NFL and then forgot how to tackle, you would fail. You wouldn’t be able to say, but I run faster so that should count. You can’t forget how to tackle when playing football and you can’t forget the basics of a good cybersecurity program. The main problem with the basics is that in cybersecurity, many of those basics were never things we truly owned. We advise and give oversight in some cases, but we have chosen to not always get intimately involved.
What are these basic things you ask? The list is to long to name them all, but lets start with a couple of big and very obvious ones.
I am going to group these two together for brevity, but they almost go hand in hand. Patch management and change management.
How many of us get intimately involved in the patch management program to the point that we not only set the policy, but govern it and hold people accountable for not meeting policy?
How seriously do you take change management? You must go beyond having a security rep attend. That’s just showing up. If you are not doing more than tracking changes your team is making operationally to security equipment, you are failing your organization. For those of us that have been around a while, we all remember the days before Microsoft had a good patching strategy. Back then, the company’s patches seemed to cause more issues than they fixed.
Today that’s not necessarily the case, however, how would you know? Do you check? Do you even know if the changes that were supposed to be completed on critical systems were done properly and didn’t open more flaws to other parts of the system? Probably not.
However, I can recall a day when security was actively involved in change management. Maybe because we didn’t have a lot of other things going on. Maybe because we still only thought of ourselves in the realm of technology security. I don’t know and don’t have the answer to get us back there, but i think we need to hit the reset button on how we determine what’s important to address in our organizations.
So many breaches are the result of poor configuration or systems left unpatched. It’s gotten to be ridiculous that the numbers still remain so high, as the reports continue to show. Even though spending is at an all time high. Even though we have more tools than we have ever had of which many are shelfware or have overlapping capabilities. Even though some security teams are bigger than they have ever been. Breaches are still happening for some very basic reasons and spending more money has not resolved it.
Maybe pressing the pause button and stepping back a bit would give us all some perspective. Now I get that the sheer age of our profession leads us to say the evolution is still in its infancy. However, how long are we to wait? When is the right time to say stop and get the basics right? If not now, when? Do we need to have 1 trillion records breached to finally get it? Do we need to have a financial collapse due to a breach or significant critical infrastructure event that causes a blackout or loss of life across a region? I truly hope not.