All insights

Cyber Insights from an Ex-Hacker, Part 2a

Greg van der Gaast Greg van der Gaast
Independent Security Strategist

July 30, 2024

Independent Security Strategist

Beyond Recovery: Exploring the Problem - Part 2 of 5

Welcome to part 2 of the Beyond Recovery series, where I will start elaborating on the problem we are trying to solve.

Understanding the Root Cause

I think we can all agree that in order to reach the right outcomes, to find the right solution(s) to a problem, it’s essential to fully understand the problem itself. And before we can talk about leveraging the true value of storage and recovery capabilities (or in fact many other security technologies), it’s essential to understand the real problem to best address it.

An interesting observation I’ve made over the years is that when I ask different security professionals what they feel the most fundamental problem in security is, they reply with wildly different answers. They are usually all valid problems, but rarely fundamental ones. In other words, they describe things caused by something else, but usually don’t expand their scope to address the true cause. It’s no surprise then that the problem of security only continues to grow.

But let’s take a step back and look at the security industry today. As an “industry expert” I’m constantly asked about new trends in technology, new vulnerabilities, new dynamics in how criminal gangs operate, etc.

I don’t find any of this particularly relevant. Because it isn’t.

I’m not a very good “industry expert” because I don’t really care about the “security industry.” I care about businesses achieving outcomes. Businesses aren’t funding security because they care about of any of the things above. They’re funding security to get a return on investment in terms of reducing risk.

Read Our Blog: Rolling NIST’s Cybersecurity Framework into Action

Security Spending vs. Security Outcomes

So, with that as the metric, how are we doing??

Well, over the last two decades we have seen a continuous increase in spending on information security. This spending has increased exponentially not only in absolute terms, but also as a percentage of IT and overall budgets.

The corresponding decrease in incidents, or exploited risk, has been… non-existent.

In fact, it has gotten worse, and continues to get worse. What’s interesting is that every year the number of vulnerabilities discovered increases and, due to the fact that we can’t fix them all, the number of vulnerabilities we carry increases exponentially.

What’s interesting about this? The fact that that trend of how many vulnerabilities present in our organizations, whether they are “risk-managed” or not, is roughly analogous to the damages caused by breaches every year.

If you think about it, it’s clearly unsustainable. You could argue that security practices and technologies have stopped many attacks, but what is the business meaning of that if the attacker then just moves on to another way to compromise the organization and the end result is the same?

Learn how Virtual Storage Platform One provides a solid data foundation for mission critical applications, including mitigation of risks and security threats.

The Alarming Trend of Security Surrenders

This lack of success has led to some famous quotes around information security:

“There are only two types of companies: those that have been hacked and those that will be hacked.” -Robert S Mueller III, executive director of the FBI

And the more general “it’s not if, but when.”

Through a business lens, this trend is raising eyebrows about the cost-effectiveness of spending on information and data security.

It has also brought about a change in thinking: that recovery, in the context of resilience, should perhaps be the main priority. As such, despite stagnation in spending on security tools, companies have been investing (wisely, I’d say, considering the circumstances) in their recovery capabilities.

It’s logical thinking. If we cannot stop being hit, successfully, then we must focus on our ability to recover quickly and recover well.

But to me this is fairly staggering if you think about it. It signals the surrender of security teams to cyber criminals. “As we do what we can, but at the end of the day we know the house is going to get knocked down and we’ll have to rebuild it.”

A Flawed Approach: Why We’re Not Getting Security Right

But what if there was another way? What if we’ve been proceeding without fully understanding the concept of security, meaning our approach was flawed, and that this was the reason why it was ineffective and providing so little return on investment?

Allow me to share with you a few epiphanies I’ve had over my 25-year career. These simple concepts have shaped my thinking and enabled me to do something I’ve seen few others achieve: decrease risk permanently over time while continuously reducing security spending and generating a net increase in the organization’s bottom line. Yes, an internal security function that is not a cost center, to the contrary in fact.

1. Security isn’t security’s job.

Security is a bit like keeping a ship afloat. Ships leak all the time. Tons of water pressure on the hull means the water will find the smallest crack, leaking pipes, waves crashing over the bow, etc. all contribute to water getting in. But that’s ok, ships have bilge pumps to handle these unwanted ingresses. It’s a bit like your typical security function.

Although if your ship is leaking thousands of gallons of water every minute due to gaps in the hull, bad seals, leaky pipes and more, then your bilge pumps aren’t going to be able to save you and buying more isn’t going to be the answer. That’s ok because it’s not the pump’s job to keep the ship afloat, it’s the ship’s. The design of the entire ship works is such that it keeps the ingress to a minimum, and the bilge pump’s job is just to handle a manageable amount.

Expecting a conventional IT security function to keep your organization secure by itself is a bit like putting bilge pumps into an apartment building, dropping it into the Atlantic, and expecting it to float.

2. Risk management alone is a bad idea.

Imagine you’re an aircraft manufacturer, you have a new model in service, and someone discovers a critical bolt in the fuselage (substitute landing gear etc if preferred) can loosen in flight.

Would you set up workshops worldwide and carry out bolt checking and tightening operations to minimize risk of an incident, expanding that operation as your business and fleet grew? Or would you figure out why those bolts were loosening, address the issue with a better design, use it in production going forward, and retrofit what already was in the field and never have to deal with it again?

This is the difference between pure Risk Management and Quality Management.

Note any similarity to widely covered real life events is purely coincidental, as this is a story I’ve been using to illustrate this point for some time now. But if you do view it through that very real-world lens, you can see just how important that difference between risk management and quality management can be.

And in cybersecurity we still focus almost exclusively on the former. Meanwhile, mature industries have successfully reduced the number of incidents they have over time, eventually also reducing how much they spend doing so. They then only risk-manage the residual risk which cannot cost-effectively be quality-managed away.

That is the only place we should be risk managing in our conventional way (think back to our bilge pump).

And that’s why the negative outcomes over time in mature industries look like the graph on the left, and those in security look like the graph on the right.

Risk management alone is a bad idea

Risk management alone is a bad idea

Needless to say, this approach also has big financial benefits for the business which we’ll cover later.

3. Security is a quality issue.

If the above point didn’t quite make sense to you, I think it will after you take this idea on board: security is mostly about the exploitation of vulnerabilities (in the loosest interpretation of the word). But what are vulnerabilities if not quality issues or defects?

Defects in code, configuration, build, design, architecture, process, context, etc., which allow an unforeseen or undesired event to occur that malicious actors can leverage to compromise us.

Once we realize this, we see how conventional quality management approaches in use in other industries can be applied to prevent as much risk from being introduced in the first place. That means we reduce the amount of vulnerability we carry over time not because we are spending more and more resource mitigating it, but because we addressed the root causes that were creating them in the first place.

Taking a Holistic Approach

To summarise the above concepts, to be secure, all parts of an organization must be thought out with security in mind. That includes systems, applications, processes and more, throughout the business. Security’s ultimate goal should be to define how all those things should be done to do business securely and have to risk manage as little as possible.

Join us for our next instalment where I’ll present a few more principles that I hope will make you rethink how you approach security, how that change can be achieved, and how storage and recovery can be an enormous accelerator in delivering it.

Read Part 1: Beyond Recovery: Beyond Technology

Additional Resources

 


    Greg van der Gaast

    Greg van der Gaast

    Greg van der Gaast started his career as a teenage hacker and undercover FBI and DoD operative but has progressed to be one of the most strategic and business-oriented voices in the industry with thought-provoking ideas often at odds with the status quo.
    He is a frequent public speaker on security strategy, the author of Rethinking Security and What We Call Security, a former CISO, and currently Managing Director of Sequoia Consulting which helps organizations fix business problems so that they have fewer security ones.