How to combat cyber confidence that undermines cyber security success
I keep coming back to a recent finding reported on in a CU Insight article Cyber Confidence Doesn’t Mean Cyber Security regarding credit union cybersecurity…
“One particularly interesting finding to come out of this research project has been the confidence of credit union leaders in their cybersecurity programs. Overwhelmingly, 71% feel confident they are fully protected and 92% feel they were never breached. However, among non-credit union business leaders, just 16% feel prepared.”
In his effort to address the seeming overconfidence of credit union leaders, the article’s author adroitly points out important contradictions found via the survey, including…
“Of these same confident respondents, only 49% agreed that their IT is up-to-date. The same credit union leaders who claim confidence in their security, are also those who identify as under-skilled and under-staffed. Additionally, credit unions have expanded their threat landscape by moving to remote work and adding new technology to keep pace with innovation. Over the past 18 months, we have seen a 600% increase in cybercrime. Aged software is the pathway for a majority of cyberattacks, and 95% of cyber breaches are the result of human error.”
Mistaking Activity for Accomplishment
I am old enough to have studied under Dr. Peter Drucker, who taught that while important to “do things right”, it was most important to “do the right things.” Dr. Drucker would have looked at the insights above and questioned the survey respondents’ understanding of the “right things to do.” Why? Because the activities these respondents appear to accept as accomplishments are no such thing.
Nor would Dr. Drucker be impressed by the belief of 92% of them that they “were never breached.” He would first ask them to define “breached” and then would ask them how they could possibly know they remained untouched, even at that moment? Why would he ask? Because “activity is not accomplishment”, and the presence of security alerts flashing away in monitoring software is not the same thing as un-breached and confidently secured.
How Did Measuring/Monitoring Come to Equal Managing?
One of Dr. Drucker’s oft taught thoughts – you can’t manage what you don’t measure – has contributed greatly to successful management practice over many decades; but sometimes organizational leaders mistake “measuring” for “management” or, worse, turn measurement into an exercise in “doing things right rather than doing the right things,” thus ending up confident in their activity but falling short in their accomplishment. Today, leaders across industries are trapped in “activities” related to cyber security that fall short of absolutely necessary security “accomplishments.”
In conversations with CEOs and CIOs, I’m told they are confident because the reporting on monitoring and securing their environments shows a great volume of security alerts (“we see the attacks”) and a great volume of blocked penetrations (“we’re keeping them out”). But their confidence needs to be tempered by the reality we all face – malware is winning, and it’s not enough to work to meet industry or regulatory standards when those standards are focused on activity, not accomplishment.
The reality is every year companies experience more penetrations, damaging cyberattacks, exposure of personal confidential information, data losses, ransomware, and phishing attacks. And the tools that were built and deployed to help companies block malware access, monitor systems and hunt for threats have proven either by-passable or sources of fatigue and frustration to the SOC teams, teams we empower to protect us, by generating thousands of alerts that need to be researched.
And it doesn’t matter if those SOC teams are in your “house” or outsourced to professional security service companies. There are so many seeming threats appearing inside our networks that security teams are “overwhelmed by the volume of threat alerts” (source: EMA). And with the by-passability of nearly all AV/EPP solutions SOC teams find themselves chasing false positives amid the crowd noise generated by these systems, systems that were meant to help but now provide cover to malware that finds refuge inside applications where no leading AV/EPP solution goes.
There Will be No Let-Up; We Must Change
And I see no let-up in bad guys’ efforts to breakthrough, hide obfuscated code in applications, and run secretly in our networks, unless and until we learn to focus on the right things to do, and stop equating activity with accomplishment.
Systems must be monitored, and threats must be addressed across the ever-growing attack space; but we must also strive for a zero-trust architecture that brings our “network access” practices into safer space, and we must address the failure of security software vendors to stop cyber criminals from bypassing their solutions. To read more on the need for zero-trust practices to thwart ransomware, consider https://www.cuinsight.com/want-to-stop-ransomware-cold.html.
As Brad LaPorte, a long-time EPP veteran and recent Gartner Senior Analyst, writes “Cybercriminals are now able to secretly bypass modernized security solutions like Next-Generation Antivirus, Application Control, Endpoint Protection Platforms (EPP), and Endpoint Detection and Response (EDR). Worse yet, cybersecurity vendors are aware of this devastating tactic but are keeping quiet about it. They are not able to stop it and that is a serious threat to their viability (and yours). Attackers are able to sneak into corporate networks by hiding INSIDE APPLICATIONS, where ALL endpoint security products are blind to what is executing behind the scenes. It’s time we all focus on fixing this.”
The Drucker Way Still Works
If we can begin to turn activity into accomplishment by doing the right things, and not just doing things, we can start to lead and to manage in confident ways, while withstanding the latest and greatest cyber threats coming our way. But to do so, we must think like Peter Drucker and tackle the right things to do.