Owning Cybersecurity Outcomes
There are a number of ways that outcomes can be defined. However, for the purpose of this article, let us consider the outcome of cyber security to be to effectively defend against cyber attacks. I think we can all agree on that, regardless of your role in the industry. Your main objective is to defend against, as in, either prevent entirely or mitigate the damage done by criminals, nation-states, and one-off individuals.
Depending on the organization, the motivation to do this can be different, but it essentially comes down to one of two things. Defend the ability for you to make money. In this case, the spend on cyber security efforts must be less than the cost of doing nothing. Or defend the ability to perform or execute a task or mission. Think emergency services or military. Their end goal isn’t profit here; it is to invest enough in cyber defenses to have confidence that you can perform the required actions to accomplish your mission. So, that changes the spend conversation a bit based on risk and things like “what is confidence, and how is it measured.”
As those words resonate in our minds, I am sure this is a place the entire industry can agree. However, what we don’t do, is agree on how this is done or even the most effective way this is done. We have tried, and there are numerous frameworks and best practice documents. But clearly, by the state of things, I think we can say those have not been effective either.
There is a soup of predatory capitalism, insufficient technical understanding of the problem set, and lack of workforce at all levels, but especially management. The results seem to be extremely high spend and industrial investment in ineffective solutions, and even entire sets of roles. Investment, that is not laser-focused on the the end goal. The goals mentioned previously. When you get down to it. Those are met by an individual, with sufficient knowledge and skill, having a higher set of knowledge and enablement to use that knowledge in defense, than the adversary attempting to compromise their systems. In many cases, that can be a check box on something like an S3 bucket that costs hundreds of millions. In others, it can mean there is a massive auditing and governance organization that doesn’t have anyone actually ensuring they have technical protections and detections set up to effectively protect their data.
Now, I have skirted around the problem a bit here, but it is so dire, that as I take the time to write this, I am reminded of the guilt I have for not jumping on the keyboard and implementing solutions for detection web attacks, or adding full packet capture to the networks that host the domain controllers. I haven’t tested DNS c2 and made sure it is detected it in all the networks I am responsible for. Instead, just like billions of salary dollars before me, I am mired in text. Don’t get me wrong, policy is important, but without skilled and knowledgeable implementation, we lose.
And we are, in fact, losing. Thought leadership around strategies for business translation of complicated subject rule the conferences, while simple attacker techniques like dropping psexec and anydesk on a compromised device are not only not prevented, but go undetected and lead to millions in losses.
My call to action is this. Do NOT disregard the high level of technical skill and understanding required to effectively defend your networks. It does not, in every case, need to be dumbed down, or put into layman’s terms for a decision to be made; it abstracts the reality of the problem. Instead, push the decision down to the level at which you have an individual who does have the proper technical understanding of the subject. Promote expertise, not business acumen, and networking skills. Elevate members who have shown technical decision-making skills that can be directly tied to thwarting cyber attacks, not strategic thought leadership.
This may feel unpopular. But we have to stop dominating the industry with concepts that are “easy to understand”, and instead encourage everyone to raise the bar. Because the attackers, they don’t care about thought leadership, or policy, or anything other than rapidly advancing their technical capabilities to out pace our defenses.