PRESENTED BY

Cyber AI Chronicle

By Simon Ganiere · 10^th November 2024

Welcome back!

Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.

Several thought leaders and organizations are pointing to fundamental problems in how we approach cybersecurity, and the picture they paint suggests an industry in the midst of an identity crisis.

In a revealing analysis, Chris Hughes exposes that the popular "shift left" movement, which advocates moving security earlier in the development lifecycle, was built on surprisingly shaky ground. A recent CISA Cybersecurity Advisory Committee report found that the often-cited statistics about cost savings from early detection were founded on speculative, unofficial sources - some of which may have never existed. Even more concerning, claims like Barry Boehm's assertion that fixing software problems after delivery is "100 times more expensive" than finding and fixing them during the design phase lack any empirical support.

This revelation is particularly troubling because these statistics have been fundamental in justifying security investments for years. Even modern reports, such as IBM and Ponemon's Cost of a Data Breach study, don't provide actual data on the cost savings when security vulnerabilities are found and fixed before a breach occurs. This raises serious questions about how we justify security investments when the economic rationale we've relied on might be fundamentally flawed.

One of the most surprising findings across multiple sources is that security incidents often don't have the lasting impact we've been led to believe.

Even more perplexing, breaches involving sensitive data like Social Security numbers had less negative impact on share prices than breaches of email addresses.

The pattern extends beyond stock prices. Major security incidents at companies like Target, Samsung, and SolarWinds showed minimal long-term impact on customer base and revenue. As CISA's report notes, "quality failures don't always affect customer loyalty." This creates a challenging dynamic where the traditional arguments for security investment - protecting reputation and avoiding customer loss - may not be as compelling as we once thought.

According to a SiliconAngle article cited by Hughes, the security industry has fallen into a dangerous "tool-centric" approach rather than focusing on outcomes. The average CISO's organization now manages between 70-90 security tools, with some running as many as 130 different solutions. What's more alarming is that only 10-20% of this cyber technology is actually fully utilized - meaning properly deployed, configured, tuned, and optimized.

Frank Wang, in his analysis "Security has too many tools," points out that this proliferation of tools isn't just a financial issue. The tool sprawl creates cognitive overload for security teams, leading to burnout and actually making teams less effective as they juggle an ever-growing portfolio of solutions. Moreover, these security tools themselves become part of the attack surface, introducing their own vulnerabilities and misconfigurations.

Leon Adato makes a provocative but insightful observation in his article "Nobody Cares About Security" - what businesses actually care about is avoiding lost revenue, downtime, extortion, and lawsuits. This isn't just semantic wordplay; it represents a fundamental disconnect between how security teams think about their mission and how businesses evaluate value.

The challenge is multi-faceted. Security issues are inherently complex, more so than many other business risks. As Abe Silber, CEO at CyberCure.com, points out in Adato's article, "The problem with security is that it's impossible to measure your ROI... it's almost impossible to measure the likelihood of preventing [incidents] based on different security solutions." This makes it extremely difficult for security teams to justify investments in business terms.

Perhaps the most controversial development comes from Gartner's recent Risk and Security Summit, where analysts Akif Khan and Christopher Mixter advocated for organizations to move away from "zero tolerance" prevention mindsets. Their argument is that organizations need to accept some level of security loss, similar to how retail stores accept a certain amount of shrinkage or banks accept some fraud losses.

This represents a significant shift in security thinking, suggesting that organizations should invest more heavily in response and recovery capabilities rather than trying to prevent every possible attack. It's a pragmatic approach, but one that's meeting resistance from some security leaders. As Danny Jenkins, CEO of ThreatLocker, argues, "The idea that you can recover from a cyber attack is rubbish... What happens when someone takes six terabytes of your confidential files? How do you recover from that?"

The evidence suggests that security teams need to fundamentally rethink their approach. Here's how we might forge a new path:

Security teams need to stop positioning themselves as the "Department of No" and start acting as business enablers. As Mark Simos points out in his RSA presentation on security anti-patterns, this means having conversations that start with "How can I help you achieve your objective securely?" rather than listing all the reasons something can't be done. This shift in mindset is crucial for building the partnerships needed for effective security.

We need to move away from fear, uncertainty, and doubt (FUD) and toward data-driven decision making. This means investing in better metrics and measurement systems that can actually demonstrate security's value to the business. As Frank Wang suggests, this might mean having fewer tools but more headcount - focusing on people who can understand and solve problems rather than just operating tools.

Security teams need to break out of their silos. This means regular engagement with business units, understanding their objectives, and finding ways to enable those objectives securely. As Chris Hughes notes, this might be as simple as starting with pizza-fueled discussions between security operations and development teams to build understanding and cooperation.

The security industry's mid-life crisis isn't necessarily a bad thing - it's an opportunity for transformation. We've built our industry on assumptions that are being challenged, using metrics that don't resonate with business leaders, and relying too heavily on tools rather than outcomes. The path forward requires us to be more pragmatic, more business-aligned, and perhaps most importantly, more honest about what we can and cannot achieve.

Security teams need to:

Here's a thought to ponder: What if we've been looking at security all wrong? Instead of trying to be the organization's immune system, fighting off every threat, maybe we should be more like its nervous system - helping it sense danger and respond appropriately, while still allowing it to function and grow.

What do you think? Is security having a mid-life crisis, or are we finally maturing as an industry? Let me know your thoughts in the comments below.

SPONSORED BY

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

Sign up to start learning.

Let me know if you have any feedback or any topics you want me to cover. You can ping me on LinkedIn or on Twitter/X. I’ll do my best to reply promptly!

Thanks! see you next week! Simon