True independence is a rare commodity in the Cyber Security world
There is an incredible amount of material online and on social media around cyber security. But the vast majority of it is either sponsored by technology vendors or directly associated with them. They range from start-ups or specialised software houses (large and small), all the way up to industry heavy weights. They sponsor industry events, conferences and publications of all sorts, including the specialised supplements of many broadsheets and magazines. They produce white papers, reports, surveys and the like, in numbers sufficient to fill several bookcases every year.
Broadly speaking, those reports have been saying the same thing for the past few years: Cyber threats are evolving faster than people can react; investments in cyber security are insufficient to keep up; maturity stays at low levels in large corporations and across the public sector; it must now become a “Board-level priority” for things to change.
Some of those aspects match what we observe in the field every day, but the overall message coming from technology vendors is simplistic and has 2 major flaws:
1- It tricks large corporations and the general public in believing that cyber security is something new
This is not the case. Cyber threats have not appeared overnight. In fact, they have been evolving for the best part of the last 15 years and therefore there is a vast body of good practice that will go a long way to protect any business.
But those good practices have to be in place, and often are not. Cutting corners around those on grounds of costs or convenience simply creates opportunities that cyber threats can target. And indeed, many recent breaches seem to relate to the absence of security controls that have been regarded as good practice for years and should have been in place.
The sad reality is that, in spite of decades of spending in the information security space, many large organisations are still struggling today with problems going back to an era where security measures were seen as a necessary evil imposed by regulations – at odds with functionality and preventing innovation and agility.
2- It perpetuates the false idea that the problem is technical in nature
In fact, it is increasingly becoming a matter of mindset, culture and governance.
Many problems are rooted in decades of neglect, badly targeted investment, adverse prioritisation or complacency, and there can be no miracle solution – technical or otherwise- in such situation: Avoiding cyber security breaches, or dealing with them, requires coherent action over time across the whole organisation.
Only by identifying and removing the roadblocks that have prevented progress in the past, will large organisations establish a genuine and lasting transformation dynamic. This is often a complex change process that could take years and require relentless drive to succeed. It is not about deploying yet another piece of security software.
Of course, technology can and does enable some aspects of the cyber security transformation, but it needs to be rooted in a transformative vision that puts people and process first. And embedded within a target operating model that allocates clear roles and responsibilities across the whole enterprise, not just the IT department.
Those messages are rarely heard in the media, which are often dominated by the short-term agenda of tech vendors. And even when they do get mentioned, they are often lost in the midst of a vast amount of technology noise and are hardly audible or credible.
True independence is a rare commodity in the Cyber Security world, but it is essential for large organisations to navigate those waters and develop a genuinely protective practice, instead of simply listening to the latest technology buzz.