We never used to have to worry

As technology becomes more and more embedded into our lives, into our businesses and into our realities, you must wonder why it’s so hard for some to adapt to the changes this brings.

With more connectivity, with more services online, with more systems connected and with people wanting always on, always available services you must consider the realities of technology management in today’s world.

Is it right to expect your systems to be online 24/7 365 days a year? Do your staff want flexibility? Do you operate services which are exposed to the internet? Not only is keeping the services online (and well maintained) a consideration, how do you keep them secure?

System security is probably viewed by many still as something that a monthly hotfix or upgrade looks after. Unfortunately, whilst that might be “got by” in the 90s and early 2000s the reality is that doesn’t work anymore.

Operating Models of the Past

The challenge many organisations have regarding cyber security are far greater than I think people like to admit.

• In a digital first world you must be able to not only monitor threat intelligence in near real time, but you also need to be able to react to it, how do organisations with traditional operating models cater for this?
• Do staff have the bandwidth, skills, or remit to cover security capabilities and specialisms that aren’t part of traditional IT roles?
• How can Operational teams be running a Monday-Friday 9-5 pattern cope with zero-day vulnerabilities? Or even known public vulnerabilities with active exploitation?
• Traditionally there are largely not dedicated security departments, functions, or capabilities inside organisations.
• Traditional mindsets and approaches were to have a yearly penetration test covering a very small percentage of the attack surface

Technology management is often pushed into the corner in organisations, it’s something “the IT crowd do” or is not given the attention by the board that it really requires. This isn’t out of self-importance from the IT crowd etc. it’s the reality that modern life and business is highly coupled to technology. Failure of systems, loss of availability, integrity and confidentiality is a serious problem (often revenue impacting) for organisations.

I often hear organisations say they can be down for extended periods of time when it comes to planning and investments yet when an outage occurs you wouldn’t think this was the case.

Major Challenges in Cyber Security

The lists unfortunately aren’t getting smaller, whilst the iPad may be “simple” to use, I think the consumerisation of technology has harmed people’s views on the realities of operating technology platforms and systems at an organisational level. Take the faster, cheaper position of general technology deployment and then look at the threat landscape:

• Threat actors move fast
• Criminal enterprises are well resourced, operate across the globe and can act 24/7 365 days a year (ok they are known to have breaks but that’s not a control mechanism)
• Exploits are sometimes created and exploited before the vendors are aware of them (zero days)
• Even when intelligence show’s an exploit in the wild, sometimes there is a lag between the intelligence and vendor patches
• Defending organisations from cyber threats requires knowing the network better than the IT team know it. I don’t say this lightly as the IT team are fundamental and key to protecting the business from cyber threats, however the cyber landscape is now so broad and deep relying upon it “to be looked after” doesn’t really work. See the news daily for evidence of this.

Major challenges for organisations in cyber security cover a broad range of domains:

• Financial Markets, changes to cost bases must be absorbed somewhere, if it’s not in the customer or supplier space it’s in the dividends and share price.
• Adding capabilities generally increases the cost base.
• Adding capex-based investments without balancing out the operational spending (head count, support, training, time) adds more technical debt.
• Pace of change.
• Threat Landscape, Threat actor capabilities and criminal go to market speeds
• Cyber capabilities were simply forgotten, ignored, or cut out from traditional technology deployments.
• Security is perceived as a cost rather than a business enabler.
• Cyber security is often seen as magic.
• The workforce in my experience (at all levels) is not currently greatly equipped to understand the cyber landscape let alone be able to effectively defend their segments of the world.
• People often think installing the latest version of a product or service will make them secure, sadly this is very (if not ever) the case.
• Education, not only of people planning, designing, building, and operating but also of those in the investment decision spaces are a major challenge.
• Customer demands and expectations for security and privacy are that they are built into products and services.
• Organisations have legal obligations; these however are often unclear and often glossed over.

A Grim Reality Today doesn’t mean the future has to be the same

I’m not going to lie, sometimes working in this field is depressing. I look at the way we as a human race have deployed technology and then look at the attack surfaces at country scales and it’s not a pretty sight. I speak to people who are always keen to talk a great game but when we look in the weeds, we very often find the skeletons that “don’t exist”.

I do however see a brighter future, today Cyber security is an entire industry, we have better education, better understanding, better investment, and more opportunities than we ever have had. We do still however have a gigantic set of challenges to overcome, even if we delivered world class education into the new generations tomorrow the lag time for that to take effect on the ground is huge.

That being said, things are somewhat improving, my worry is that it’s easy to put out strategic statements and much grandiose visions of a secure future without rolling up the sleeves and fixing the issues that are causing both organisations and people to get pwn3d with a devastating effect on what is now an hourly/daily basis.

If we are going to change the status quo, it’s going to require change, it’s going to require people and organisations to deal with the on the ground issues, it’s going to require that as a race we learn to defend harder. That starts with being realistic and recognising the need to change the way we have been approaching technology security, and that change is far harder than blocking the next RCE!