Cyber Security Revisited: Why Compromise Breeds Compromise

The seeming inevitability of cyber insecurity makes it all too easy to externalize the situation, requiring someone - somewhere - to do something. But what about our own personal roles and responsibilities as security professionals and consumers? How much of this problem do we personally own? 

By any calculus plenty, we (as by our calculus, the collective “me,” “the” and “we”) have been too trusting of our experts, too staid in our approaches, and much, much too complacent in our demands for results. Here are the top five reasons why we believe that personal and professional apathy has compromised our digital lives.

1. Saying Isn’t Doing. Pithy marketing saying you do something-or-other isn’t quite the same as actually doing it. Casual observation of the “hack du jour” would seem to indicate that solution providers saying that they are anti-virus, or anti-spyware, or anti-whatever is having a similar effect on cyber security as anti-war sentiments have had on stopping wars.

2. No Scorecard, No Results. Many know that you can’t fix what you can’t measure, and yet cyber security remains an industry befuddled in its development of even a rudimentary set of outcome oriented metrics. Case in point is a pretty good piece of recent work by Carnegie Mellon’s Software Engineering Institute that is in our view almost entirely negated by its lack of constructiveness.

Specifically, even after acknowledging the obvious pitfalls of measuring inputs vs. outputs (a seeming industry preoccupation) the report provides no directive thoughts, prescriptive recommendations or even a future work acknowledgement of the need for results oriented cyber security metrics. As such we would propose pragmatically starting with two simple, easy to understand, measure and compare (over time) metrics:

- What percentage of bad stuff can we keep off our systems?

- What number and percentage of actual attack vectors can we stop (with an emphasis on the top 25 or so)?

Not perfect for sure, but a pragmatic start (if you have a better idea, propose it and let’s get on with using it, but doing nothing isn’t acceptable). Unfortunately, the truthful answer to both questions would self-evidently be “not much.”

3. Absolute, Not Relative Results Matter. The digerati would have us believe that surveying industry leaders and then “benchmarking” their solution sets – even though they are known a priori not to work – is following some form of admiral best practices. Ditto for being “best of breed” among a mediocre, if not downright poor set of comparables.

Sure these measures satisfy compliance checklists and the “commercially reasonableness” test for legal liability – which we regrettably understand remain required objectives – but let’s at least stop kidding ourselves that either actually improves cyber security or is something that should be lauded. 

 

4. Hard Problems Require Hard Work. It’s human nature to choose the path of least resistance; the proverbial “easy way.” Unfortunately, deep, difficult, complex, multi-domain problems like cyber insecurity are not solvable by the often simple, superficial and superfluous solutions proposed to date.

Bluntly put, it’s time to stop treating symptoms with Band-Aids and start holistically focusing on root causes. And yes, we fully recognize that the cyber infrastructure was never designed to be secure, and as such, any effective solution must pragmatically be backwards compatible. Much easier recognized and said than done, but it really is time quit complaining and just get on with trying to solve the problem at hand.

5. Suspension of Belief. Markets often suffer from what has been described as the “suspension of disbelief” such as, by way of example, the Internet valuation bubble of 2000 and the recent subprime mortgage debacle. Unfortunately, cyber security is facing a much more troublesome challenge that we call “the suspension of belief.”

Simply put, very few people think that cyber security is a problem that can be “solved,” even to acceptable levels of risk. In this regard, count us unapologetically in the visible minority, for we are deeply committed, actively engaged and manically optimistic that a secure end state can be achieved.

True introspection is often unkind and never easy. Some may view the above assessment as harsh, but the pragmatic truth is that reality often is - or perhaps the pragmatic reality is that the truth often is. Either way, the bottom line is that we all need to expect more, nay in fact demand more - much more.

The bad guys aren’t just winning against the incumbent solutions and mindsets; they are running up the score.  Think about it - if Google and the U.S. government can’t protect stakeholder data, then who can? What can we realistically expect IT managers with materially less resources to do?

In short, it’s time for IT to stop cyber security’s equivalent of “insanity,” for as defined by Einstein, “the definition of insanity is doing the same thing over and over and expecting a different result.”

It’s time for IT to embrace the reality that to make progress in closing the cyber security gap, new thinking, new models and new approaches are needed. When it comes to cyber security, we clearly and unequivocally both need and deserve better.

David Lowenstein is the CEO and co-founder of Federated Networks, an IT security company. He has successfully led corporations in the business process outsourcing, education and environmental services industries. He is currently the Chairman of the Board of Princeton Review.

Risu Na is the CTO and co-founder of Federated Networks. He has led development teams to create e-learning systems and co-founded  iSoftech, a cloud-based knowledge management software manufacturer.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.