The problem with our cybersecurity problem

The problem is not that there are problems. The problem is expecting otherwise and thinking that having problems is a problem.

Theodore Isaac Rubin, American psychiatrist

We have a cybersecurity problem, but it’s not the problem we think we have. The problem lies in how we think about cybersecurity problems. Too many of us are stuck in a reactive loop, looking for silver bullet solutions, when instead we need to change how we view cybersecurity problems.

For CISOs at companies around the world, in every industry, the battle is real. There is an incident and the organization responds. Too often the reaction will be to buy a new software product that is ultimately doomed to fail and start the reactive cycle all over again.

The problem with this approach is that it excludes the possibility of being proactive rather than reactive, and given the increasing commitment, we really need a holistic approach. In the US, the average cost of a data breach is now higher than $4 millionand that may not include downstream costs, such as higher cyber insurance rates and the revenue the business may suffer as a result of reputational damage.

We need a new approach and lessons from a generation ago can point us in the right direction. Back then, cybersecurity professionals created disaster recovery and business continuity plans, calculating downtime and its disruptive effects to justify investing in a holistic approach. We can do that again, but it will require less focus on tools and more clarity on purpose.

Clear as Mud: The Complexity of the Market and Diverse Cybersecurity Needs

A barrier to clarity is the growing volume and sophistication of threats and the associated proliferation of tools to counter those threats. Rapid growth of cybersecurity solutions was a trend before the pandemic, but work-from-home protocols significantly expanded the attack surface, leading to a renewed focus on security and even more new entrants to the solutions market.

The availability of new tools is not the problem – many of the cybersecurity solutions on the market today are excellent and much needed. But the expansion of an already crowded market, along with expanding threats and evolving attack surfaces, makes it even more challenging for CISOs to know which path to choose.

Complicating matters even more is the fact that every organization has unique cybersecurity needs. They have different means to protect, and the ideal schedule varies considerably between organizations depending on size, infrastructure (cloud vs. on-premise, etc.), workforce distribution, region, and other factors. Obtaining clarity requires a change of mentality.

Get clarity by focusing on results instead of tools

CISOs stuck in a reactive loop can begin to break that pattern by focusing on results rather than tools. The quote from Theodore Isaac Rubin at the top of this article is instructive here; the problem cannot be solved by replacing a defective tool, although this may be necessary depending on the circumstances.

The problem is the attitude towards the bigger problem, i.e. the delusion that we can solve our cybersecurity problems by finding the right product. The problem is to be repeatedly surprised when that doesn’t work.

Instead, it’s time to focus on the desired outcome – one that is unique to each organization depending on the threat landscape – and find solutions for people, processes and technologies to achieve that desired state. It can’t just be about software and platforms. If the pandemic years have taught us anything, it is that people and processes must also be part of the solution.

The business case for a new approach

A focus on results and a plan that includes people, processes and technologies is a modern strategy that takes a page from the disaster recovery and business continuity plans of the past because it is comprehensive. It explains the revenue loss associated with cybersecurity exposure and justifies investing in a new approach to avoid those costs – that’s part of the business case.

Another argument for change is the need to address the speed at which threat vectors are growing and asset protection needs to evolve today. At too many companies, the current cybersecurity posture is analogous to the way operating systems used to be periodically updated versus the live updates we rely on now. Everything is moving faster now, so waiting for a new release is not acceptable.

A new approach requires broader input to formulate an adequate response, as threats are more widespread than ever. CISOs need internal input from employees and business unit executives. They need information from the FBI and cybersecurity leaders. Many will need a partnership to guide the organization through this journey and allow the company to focus on its core business.

Finding the Right Cyber ​​Security Solution

Identifying the right cybersecurity solution starts with defining critical assets and a desired outcome. For CISOs who decide to partner with an expert to help them succeed on this journey, it’s a good idea to find a team that isn’t trying to sell a particular tool. It is also important to consult experts who understand that solving the cybersecurity problem requires people, processes and technologies.

People will always be the first line of defense, so building a safety-oriented culture and aligning processes will be critical. A partner who understands the crucial role people play is therefore essential. It is also advisable to demand evidence from potential partners, such as access to a customer who collaborated with the team through a breach.

Our cybersecurity problem is not what we think it is. The real problem is that people don’t accept that there are no magic bullets and that only a holistic approach that addresses the true magnitude of the threat – and all facets of the attack surface – can meet the challenge. CISOs who accept this can break the reactive cycle and proactively reduce organizational risk.

Peter Trinh is a cybersecurity SME at TBI Inc.