Mike Lefebvre is the director of cybersecurity at SEI Sphere.
getty
Working in cybersecurity sucks. The industry is costly, complex and ever-changing. Individuals we meet with from various organizations seem to have a general feeling of consternation with the environment in which they’re operating: decreasing budget, increasing regulation, relentless threats and confusing buzzwords. If there’s an opportunity for an unprompted 2023 cyber state of the union, it’d be summarized in one word: frustration. Let’s unpack why.
Over the past couple of decades, we’ve been taught that buying security tools is the best way to protect ourselves. First, we bought firewalls, then we bought anti-virus, and finally, we bought a security information and event management (SIEM) solution or a data lake. Lately, it’s become a complex decision tree of the latest conference’s alphabet soup: EDR, SASE, IGA, CTI or xSPM. But the unfortunate reality is that we’ve purchased all of these tools—and still got breached. Why?
The problem with this approach is that cyber is a systemic challenge that we’ve been treating with independent point solutions. Individual cybersecurity tools are not built to beat attackers; they’re built to sell. Each tool sees the world through its own individual viewpoint without regard to what its colleagues are doing. Consider individual chess pieces: Pawns, rooks and knights each have their own distinct capabilities and views of the board. By ignoring the combined capabilities of these pieces without looking holistically at the chessboard, the king is likely to be exposed. This is not a winning chess strategy—and definitely not a winning cybersecurity strategy.
If we want to improve our cybersecurity effectiveness, there are three existential truths we need to accept:
1. The cyber adversary is a human on the other end of the keyboard that is incentivized by a return on investment (ROI). The desire to steal money is arguably as old as money itself, and technology has merely provided new conduits for doing so. Admittedly, some threat actors specifically seek intellectual property theft, surveillance or physical disruption (e.g., military operations), but make no mistake: A return is still the objective. The adversary has a clear motivation to innovate, leading to truth No. 2.
2. Investments in cybersecurity will have to continually evolve. Given the persistence of the adversary, all cyber tools have a shelf life. Unfortunately, this means that cyber is not something one can “set and forget.” Rather, it requires regular review to ensure the threat hasn’t pivoted around—or through—the controls that we’ve implemented. We need to be willing to invest as much time in protecting our businesses as the cyber adversary invests in circumventing the traps that we’ve laid. Cyber will always have to evolve with business initiatives, technology developments and emerging threats.
3. If you fail to expect, you can expect to fail. If you’re not thinking at least three chess moves ahead, your opponent is likely going to win. Businesses that are not investing in cybersecurity as a foundational business enabler are ultimately subject to failure in cyberspace. That is not to say cyber perfection is the goal; instead, resilience and responsibility are more realistic endeavors. Cyber doesn’t need to be overwhelming if you cover the basics, partner with the right defenders and always expect the adversary at your digital doorstep.
If we stop chasing tools and start embracing cyber as a comprehensive system to keep out a thinking, breathing, human opponent, we can think holistically about how our business is protected (or conversely, how we are exposed). Systemically integrating cyber controls is a prime example where the whole is greater than the sum of its parts. Do we have too many pawns and not enough knights? Are we able to integrate our tools to extract maximum value from our existing investments? Are parts of our business particularly enticing and vulnerable to attackers? If we shift our thinking to the current reality and ask ourselves the right questions, being in cybersecurity doesn’t have to suck.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
