Back

It’s Time to Dismantle the Corporate Cybersecurity Industrial Complex

 


Cybersecurity Has a Leadership Problem, Not a Technology Problem

When people talk about the main issues with cybersecurity and how to solve them, they often focus on things like the type of attacks, the high costs, the tech involved, and the hackers themselves. You’ll hear people say, “It’s ransomware!” or “No, it’s phishing!”, “No, it’s social engineering!”, and my personal favorite — “It was a really sophisticated attack!

Moreover, the defeatist mantra, “it’s not a matter of ‘if’, but ‘when’ we are breached,” permeates the industry. This fatalistic perspective resigns us to failure before we even have a chance. It strikes me more as media melodrama than a meaningful contribution to educating the market.

While it’s true that there have been numerous innovations over the years to stop security incidents, like the Zero Trust approach, we seem to have forgotten an important part of the equation: organizational dynamics.

I don’t want to make light of how complex cybersecurity is. I get why it’s so hard to get right. There is so much to consider, from the technology we use, to the people leading the way. After nearly a decade in the industry, consulting with CISOs, technologists, strategists, and engineers, a recurrent theme surfaces: security failures invariably feature an organizational component.

 

Case Study in Epic Failure: Equifax

 

Consider the poster child of indefensible security — Equifax. While this particular incident happened several years ago, it’s a great example of leadership failures that can happen.

In 2018, I worked for a cybersecurity company, VERA Security. They specialized in user-friendly solutions to protect unstructured data, such as files, both at rest and in transit. While I was there, I wrote a whitepaper on defensible security.

Part of my research led me to digging deep into the Equifax breach, and I quickly learned that it was much more than simply a technology issue. It’s often said that 10K worth of technology (in their case, software composition analysis) could have prevented that breach from happening, however, the fact that it wasn’t implemented tells an even deeper story about Equifax at the time.

In December 2018, the House Oversight Committee released a final report that states, “Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operations. This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner.”

It’s not about “too big to fail”. It’s about “too big to modernize”.

 

As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment.

Equifax ran a number of its most critical IT applications on custom built legacy systems. “Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging. Equifax recognized the inherent security risks of operating legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to prevent the breach.”

Consider the history of CEO and CISO-level resignations after data breaches:

  1. In March of 2017, both the CEO and Lead Attorney for Yahoo! were fired.
  2. In September of 2017, the CEO, CIO and CSO of Equifax stepped down.
  3. The CSO and CISO of JP Morgan Chase resigned following their data breach in November of 2015.
  4. Following Home Depot’s data breach in 2016, the CEO resigned.
  5. The CIO and CEO of Target both resigned following their massive data breach in 2014.

 

According to Gartner, by 2022, 50% of CEOs who lack cybersecurity postures that are defensible to their key stakeholders will be fired following material breach incidents that impact greater than 25% of their customer base.

 

The Uber Conviction and Accountability in Cybersecurity

And recently, with former Uber CISO, Joe Sullivan being held personally and civilly responsible for a data breach back in 2016, I’m beginning to wonder if we will ever get accountability right.

The Uber conviction was the first time that one person, not surprisingly the CISO, was held personally responsible for an organization’s data breach incident.

While I understand the need to hold those in leadership positions accountable for the consequences of their decisions, I believe that convicting Joe Sullivan, the former Chief Security Officer at Uber, for the data breach, both personally and civilly, is a misguided action. This view is not in any way meant to absolve any potential legal transgressions; however, the unique situation surrounding data breaches necessitates a broader perspective.

Cybersecurity is a complex, company-wide issue. Holding a single individual, even if he is the CISO, personally and civilly liable for a data breach, could potentially overlook systemic issues within the company. For instance, under-resourcing or underfunding of the cybersecurity department, a lack of understanding or urgency from the board or senior management about cybersecurity risks, or ineffective communication channels between IT and management could all have contributed to the breach.

Without addressing these systemic issues, focusing on an individual’s culpability may only serve as a temporary band-aid rather than a long-term solution.

 

Maybe it’s time to dismantle the corporate cybersecurity industrial complex.

Dismantling the “corporate cybersecurity industrial complex” can be seen as a radical approach to addressing the current state of cybersecurity. While this phrase sometimes evokes a strong reaction, it’s important to note that it doesn’t necessarily mean doing away with corporate cybersecurity measures or the industries that support them.

Rather, it could imply a shift away from the current model, which is often seen as overly complex, inefficient, and driven by commercial interests, rather than a focus on truly effective cybersecurity solutions.

Here are a few reasons why some believe such a shift could be an improvement:

  1. Promoting Innovation: The current cybersecurity industry is highly competitive, with numerous vendors offering similar products and services. While competition can drive innovation, it can also lead to an oversaturated market with incremental improvements, rather than truly innovative solutions. Breaking up this industrial complex could encourage new ways of thinking about cybersecurity and foster more innovative solutions.
  2. Focus on Fundamentals: The cybersecurity industry often focuses on selling the latest high-tech solutions. However, many organizations still fail to implement basic cybersecurity best practices, such as regular patching, strong password policies, and employee training. By dismantling the current model, there might be a greater focus on these fundamentals.
  3. Reducing Complexity: Navigating cybersecurity can be incredibly complex for organizations, with a multitude of products, services, standards, and regulations to consider. Simplifying this landscape could make it easier for organizations to understand and manage their responsibilities.
  4. Avoiding Vendor Lock-in: In the current system, organizations often become overly dependent on a single vendor for their cybersecurity, which can lead to complacency and limit flexibility. Breaking up this complex could promote more vendor agnosticism, allowing organizations to select the best solutions for their needs from a variety of providers.
  5. Shifting Resources: A significant amount of resources is invested in maintaining the current cybersecurity status quo. By reevaluating it, these resources could potentially be redirected towards more effective cybersecurity measures, such as improving education and training or conducting more thorough risk assessments.

 

Unpopular Opinion: the phrase “cybersecurity is everyone’s job” = fake news.

The phrase “cybersecurity is everyone’s job” is often used to emphasize the importance of collective responsibility in maintaining cybersecurity standards within an organization. While it is crucial for everyone to follow basic security practices, like strong password hygiene and recognizing phishing attempts, stating that “cybersecurity is everyone’s job” might be somewhat misleading, and here’s why:

  1. Specialized Skills and Knowledge: Cybersecurity is a complex field that requires specialized skills and knowledge. IT professionals and cybersecurity experts spend years acquiring the expertise necessary to secure a network, respond to threats, and recover from breaches. Thus, while all employees have a role in maintaining security, the brunt of the responsibility lies with these trained professionals.
  2. Dilution of Responsibility: The statement can inadvertently lead to the dilution of responsibility. When everyone is responsible for something, there is a risk that individuals may assume someone else is taking care of it, leading to potential gaps in the security posture.
  3. Deflection of Accountability: This phrase could be misused to deflect accountability away from those who should be responsible. In an organizational setting, while everyone should practice good cybersecurity hygiene, the ultimate responsibility for ensuring systems and data are secure often lies with leaders, who are in positions to allocate resources and enforce policies.
  4. Overlooking Systemic Issues: Saying “cybersecurity is everyone’s job” may lead to an overemphasis on individual actions at the expense of addressing systemic issues. Cybersecurity failures often stem from larger organizational or structural problems, such as a lack of investment in security infrastructure, inadequate training, or a corporate culture that does not prioritize security.


The Path Forward

Addressing systemic and organizational issues in cybersecurity involves a holistic approach that goes beyond technology and focuses on integrating cybersecurity into the core business processes, leadership, and organizational culture.

Crafting a comprehensive cybersecurity strategy is crucial, one that reflects an organization’s unique risk profile, aligns with business objectives, and delineates clear roles for all staff levels. Leadership should promote a culture of security-conscious behaviors, facilitated by regular training, and should be held accountable for cybersecurity measures.

Moreover, a shift to a risk management approach, where potential threats are identified, assessed, and managed, can be beneficial. This should be complemented by sufficient resource allocation towards cybersecurity, both financially and in terms of personnel.

Emphasizing collaboration, information sharing, regulatory compliance, and incident response planning, along with integrating cybersecurity in the design of business processes, can further strengthen the cybersecurity posture of organizations. By adopting these pathways, organizations can begin to address systemic issues effectively and enhance their cybersecurity resilience.

 

 


References

  • Baily, M. (2017). How cybersecurity leadership from the board down protects your business. Harvard Business Review.
  • Kaplan, J., Sharma, S., & Weinberg, N. (2016). Cybersecurity’s human factor: Lessons from the Pentagon. Harvard Business Review.
  • Singer, P. W., & Friedman, A. (2014). Cybersecurity: What Everyone Needs to Know. OUP USA.
  • Johnson, M. (2018). When Cybersecurity Breaches Occur: Learning from Past Mistakes. Forbes.
  • Gallagher, K. P. (2019). Investing in Cybersecurity: From Budgets to Disclosure. Harvard Business Review.
OMNIA