This is a tale of what should be, but never seems to be, a strong lesson learned.
Every October, our industry “floods the zone” with best practices to promote National Cybersecurity Awareness Month (NCSAM). While noble in concept – setting aside an entire month to reflect and otherwise share deep thoughts about what is and what is not working to defend our digital assets – a deluge of vendors has devalued the occasion by turning it into a promotional platform that does nothing to truly help enterprises, their users and consumers.
It is time we discuss an uncomfortable truth: For too long, our industry has perpetuated what can candidly be described as a ruse. Working quickly and even feverishly to satisfy economic interests over security priorities, companies sell software, which is inherently flawed, then subject users to a continuous cycle of updates that never really moves the needle in terms of protection.
This has emerged as the norm for us. We inundate customers with software products and a ceaseless cadence of updates, and, then, during October, lecture them about patches and passwords and appropriate cyber hygiene while never actually resolving the issue at its heart. This is hurting our industry, and we may eventually cripple our reputation if nothing changes.
But there is hope, and what most people don’t realize is that a better way is emerging, if we can look past the myths and focus on a more positive and practical path forward.
So how did we get to this place? Because software plays are easy to pull off quickly, creating a fragmented marketplace of carny barkers all claiming to fix everything. But proprietary architectures and code are not ironclad. Yes, we love the flexibility of software. We can make it do amazing things! But we are the modern-day Icarus, reaching higher and higher on the wings of innovation until we fly too close to the sun. In reality, the astonishing flexibility of software makes it vulnerable, saddling us with complex systems in which simple bugs can lead to a vast array of compromises.
That is because computers use processors (known by computer scientists as “Turing machines”) to run different kinds of software with different applications. Sophisticated hacking is most often about taking advantage of the adaptability of those Turing machines by convincing them to run malicious applications which lead to breaches, ransomware and additional unwelcome consequences. In other words, the power that allows us to “do something great” with software simply by supplying it with the right instructions allows attackers to spot an unexpected behavior quirk and then give the software their own nefarious instructions. Mayhem ensues.
Still, we continue to offer point updates to end users to “make everything better.” And we peel off the pages of the calendar until we get to October, when we can trot out some “new” best practices (new, that is, if we’ve thought of anything fresh since the prior October). But, remove the façade and you have a large sea of security vendors trying to stop things from getting too bad, too fast.
False hope dispensed ubiquitously during NCSAM and similarly staged events can only last so long. Enterprises are reliant on security vendors to mitigate a level of vulnerability for their end users, who expect top-notch protection. But it’s a complete falsehood to believe that enterprises will meet these expectations if the vendors keep going down the current path.
So, let’s chart a new path forward by next October. Vendors should not promote cyber hygiene; instead, they should admit that they have room to improve, and then tell us how they’re going to do it. That would amount to an admirable, first step in committing to enterprises and end-users with palpable actions designed to strengthen protection.
It’s a myth that the only way to “do” security is through software. Yes, hardware is inflexible. But, when crafted the right way, it brings the highest probability for mitigating vulnerabilities. Unlike software, hardware isn’t a malleable object which eagerly responds to commands. It is, frankly, too stubborn to hack because it is rigidly focused on a narrow purpose. Software is about the possibilities of anything. Hardware, specifically hardware that utilizes lower-complexity (non-Turing machine) digital logic, avoids software’s weak points and does what it is originally told to do, and nothing else.
For everyone’s sake, we should hope to do something different and better by next October. Nothing will change, after all, until the security industry starts leading. It must concede that the software approach ignores the fundamental nature of cyber risk, because more software cannot overcome the intrinsic nature of how hardware works. This is the kind of awareness – as opposed to endlessly repeated best practices and platitudes – that can transform the industry into a true impact-maker.