Much of last year and the start of this one we have heard quite a few information security industry pundits openly discussing the lack of palpable improvements being made in the space. These failings cover a range of fronts, they say.
Yet, the bottom line is that we're off our game.
We started seeing more players in the last 12 months admitting that the industry is broken. All the efforts over the last, say, 20 or more years, while going some way to protect organizational infrastructures and data assets just aren't working. Companies have and still do the layered-approach thing, the defense-in-depth planning, but continue getting breached.
As a result, talk of attack prevention is antiquated. Yeah, we still try covering the bases here in the technologies implemented and the services used, in the strategies forged and updated; we still hope that a layered approach that accounts for our now completely amorphous perimeters and our countless endpoints will see us doing our best to detect and prevent attacks. Yet, we all know actually preventing attacks is just about as likely to occur as riding a unicorn.
To address cybersecurity challenges requires team efforts and initiatives founded on trust and collaboration.
These days, vendors and the organizations they serve are getting down with the view that the bad guys already are in. This means we need plans and solutions in place to see what they're doing, how they're moving through our networks, what they're accessing, what they're taking and, then, what the hell we're going to do about it.
Enter the overused saying, “there's no silver bullet.” Still, however, views of more reliant products have to enter the fray. So now we're seeing more play given to threat intelligence, behaviorial analytics and network monitoring and defense products.
And that's good, but harkening back to that “silver bullet” thing, solutions alone aren't going to cut it. As we've heard time and again during conversations with CISOs, and at the likes of the RSA Conference, those on the side against cybercriminals need to come together. The private-public partnership moniker has been referenced so much over the years it almost has lost meaning. Yet, calls for constructive, meaningful and fruitful conversations from both sides are earnest and well-meaning, for the most part.
Of course, let's skip battles launched by entities such as the FBI against Apple (which we review in this month's cover story) as a rip-roaring endorsement of partnering actually working given that precedent-setting seems more the motivation behind federal officials' actions against Apple than the gaining of sound evidence. After all, according to most reports, many close to the case believe there's not much to be found on the phone in question.
And while I'm getting into fodder appropriate for an entirely different column, this still is in line with the point I'm trying to make in this one: Weirdly misguided and antagonistic moves on the parts of any government officials toward private entities and industry pros do little to engender good will and strong ties to address growingly complex and concerning information security challenges.
Cybersecurity needs are daunting and massive enough on their own. To address these robustly across organizations and then on a national and even international scale, requires team efforts and initiatives founded on trust and collaboration. Further, in their planning and undertaking, these labors must account for important stuff like privacy and Constitutional rights.
Cybercriminals are winning because they've got their eyes on the ball and are working together. All the while, we just keep making the prize an easy target as we wander about the ole' dugout trying to figure out who comprises the team and what the long-term strategy is for the season, much less organizing a line-up for the current game, making the plays needed to put some points on the board, and swinging some solid bats to hit some homeruns.
We've got the makings of a winning team which could be more competitive right now. But the adversarial, pretentious, self-serving stances do nothing to help progress the necessary work before us – whether we're talking vendor mud-slinging, legal wrangling driven by other motives, or corporate politiking to simply advance oneself instead of much greater and important goals. It's simply time to get in the game – together and for the common purpose of strengthening security postures for us all.