In my previous blog post, I told you a little bit about my perspective on the current state of IT security based on almost 20 years’ experience as a CISO. Now, let’s look at the most frequently recommended approaches to addressing ongoing problems.
For many years, security vendors have told us that there are two fundamental solutions to our cyber issues:
- Patch all of your vulnerabilities
- Educate your employees
Both of these suggestions may be good best practices, but they are aspirational processes…not solutions.
Let’s start with patching all vulnerabilities. That sounds simple until you realize that software permeates every aspect of businesses, and that tens of thousands of software vulnerabilities are discovered every year. While a good patch management system can help, the reality is that not all vulnerabilities are created equal. Some can be patched easily, even automatically. But some of the riskiest vulnerabilities demand that applications and/or middleware must be completely rewritten if the application is to function properly after a patch is applied. That means that even if applying the patch is simple, hundreds and even thousands of hours of recoding may be required to make the application function. When you multiply these hours by the number of vulnerabilities that are constantly being discovered, it’s easy to see that while applying patches is a best practice, it is not a solution. We live in the real world, and we need a solution that works in the real world – where uptime and availability are key.
The idea of employee training and awareness building is another maddening effort. Practicing good Internet hygiene is a solid plan, but in the face of constantly evolving attacks, it not a solution. Hackers are clever enough to simply adapt their attacks, and sometimes actually base them on the very training topics that we are promoting! But the biggest flaw in training as a solution is that most employees are not security experts, nor do they want to be. Most simply need to do their jobs efficiently and are neither able nor qualified to analyze every communication they receive for possible malicious intent.
So that’s the world that CISOs live in. Security vendors usually have not done our jobs, so they have a difficult time creating products that actually make our jobs easier. Software vulnerabilities, sometimes due to market pressure, are inevitable. Regulations and audits, designed to make us safer, can instead leach away key resources. And the “Two Magic Bullets” – Patch and Train – simply will not solve the problems we face.
This conclusion sounds pessimistic, and it probably seems like I’m calling attention to the glass being half empty. My intent, however, is to get us out of the “half full” mindset, in which we toil on that treadmill every day thinking that this is as good as it gets. Instead, by acknowledging that the glass is half empty, we can realize the potential of filling it to the top. There is a path forward. There is a better way and it’s not too late if we act now, and act quickly. It’s time to break free from the constraints that have hindered our success and escape the endless skirmishes. It’s time to win the war!!!
In my continuing blog, I will discuss specific strategic, tactical, technical, and non-technical ways to get started. And in case you missed it, check out the previous blogs in the series: We’re winning the battles but losing the war and How did we get here?