There is an incredible amount of material online and on social media about cyber security. But the vast majority of it is either sponsored by technology vendors or directly associated with them. They range from start-ups or specialized software houses (large and small), all the way up to industry heavy weights. They sponsor industry events, conferences, and publications of all sorts, including the specialized supplements of many broadsheets and magazines. They produce white papers, reports, surveys and the like, in numbers sufficient to fill several bookcases every year.
Broadly speaking, those reports have been saying the same thing for the past few years: Cyber threats are evolving faster than people can react; investments in cyber security are insufficient to keep up; maturity stays at low levels in large corporations and across the public sector; it must now become a 'Board-level priority' for things to change.
Some of those aspects match what we observe in the field every day, but the overall message coming from technology vendors is simplistic and has 2 major flaws:
1- It tricks large corporations and the general public into believing that cyber security is something new
This is not the case. Cyber threats have not appeared overnight. In fact, they have been evolving for the best part of the last 15 years and there is a vast body of good practice that will go a long way to protect any business.
But those good practices have to be in place and often are not. Cutting corners around those on grounds of costs or convenience simply creates opportunities that cyber threats can target. And indeed, many recent breaches seem to relate to the absence of security controls that have been regarded as good practice for years and should have been in place.
The sad reality is that, in spite of decades of spending in the information security space, many large organizations are still struggling today with problems going back to an era where security measures were seen as a necessary evil imposed by regulations – at odds with functionality and preventing innovation and agility.
2- It perpetuates the false idea that the problem is technical in nature
In fact, it is increasingly becoming a matter of mindset, culture, and governance.
Many problems are rooted in decades of neglect, badly targeted investment, adverse prioritization or complacency, and there can be no miracle solution – technical or otherwise- in such situation. Avoiding cyber security breaches, or dealing with them, requires coherent action over time across the whole organization.
Only by identifying and removing the roadblocks that have prevented progress in the past, will large organizations establish a genuine and lasting transformation dynamic. This is often a complex change process that could take years and requires a relentless drive to succeed. It is not about deploying yet another piece of security software.
Of course, technology can and does enable some aspects of the cyber security transformation, but it needs to be rooted in a transformative vision that puts people and process first. And embedded within a target operating model that allocates clear roles and responsibilities across the whole enterprise, not just the IT department.
Those messages are rarely heard in the media, which are often dominated by the short-term agenda of tech vendors. And even when they do get mentioned, they are often lost in the midst of a vast amount of technology noise and are hardly audible or credible.
True independence is a rare commodity in the Cyber Security world, but it is essential for large organisations to navigate those waters and develop a genuinely protective practice, instead of simply listening to the latest technology buzz.