Since the early 1990s, we’ve watched the internet evolve from dial-up connections to high-speed, cloud-based computing. Organizations have navigated a shifting maze of technology while defending against cyberattacks. Sadly, after three decades in cybersecurity, I see organizations wrestling with the same problems in 2023 that they grappled with in 1995 when they first plugged into the internet.
Attacks on users through email, attacks on availability through denial-of-service campaigns, and exploits of systems through vulnerable applications are longstanding strategies that remain fruitful for threat actors.
Even today, with increased awareness and public reporting of data breaches, business leaders and developers aren’t taught to balance new technologies with the required security. Organizations still focus on functionality and time to market, not on ensuring secure, predictable behavior. This creates a weakened infrastructure that attackers continue to prey on successfully and daily.
So, why do cybersecurity losses continue growing despite a projected $188.3 billion global annual spending on information security and risk management products and services?
We’re Treating Symptoms, Not Causes
Vendor messaging over the decades has trained the marketplace to believe the solution to cybersecurity challenges is technology. More and more technology. The same proposition leads people to think they can lose weight with a pill — not eating better or exercising more, but a quick and easy solution so that they can pay to make the problem disappear.
The growth of security budgets shows this line of thinking is pervasive and leads to a vicious cycle of trying to outspend risk. In truth, while much of the technology is valuable, cybersecurity issues arise in the gaps.
Like prescriptions that are stopped mid-course or bandages over broken bones, technology adopted without a plan can create misplaced confidence in an incomplete system. Many organizations focus on shiny, new attacks at the expense of solid foundational protection, and this misprioritization has continued a culture of victimization and never-ending vulnerabilities.
The rising cost and destructive power of cyberattacks aren’t new; they’re collateral damage from years of neglecting basic security policies and best practices. Increased security investment is spent on niche protection technologies promoted by analysts, vendors, press coverage, and practitioner curiosity.
The constant change in tooling and focus also leads to burnout and job dissatisfaction among experienced leaders, exacerbating the cybersecurity skills shortage. To address ongoing vulnerability and increasing stress, we need to think about cybersecurity differently, recognizing that successful businesses rely on a healthy security posture.
Cybersecurity’s Preventive Medicine
Organizations should consider their security practices the same way people think about their well-being. Focus on staying healthy instead of finding a new pill for every security symptom you see. The same principles you hear from the doctor apply to cybersecurity resilience: Diet, exercise, and regular checkups.
Security’s basic food groups are prevention, detection, response, and remediation. Address each appropriately based on the specifics of your organizational need. Too little prevention and your detection, response, and remediation will be swamped. Too little response and security events will drag on. Your security program should consume only what it needs and what your team can digest and use. Any more than this, and you’ll be carrying extra weight in your budget.
Cybersecurity conditioning means regularly conducting awareness training, tabletop exercises, practitioner certifications, asset inventory verifications, and penetration tests. Keep the team up to date on roles and responsibilities. Your response will be faster and more targeted, and your organization less disturbed, if you take the time to work out that security muscle regularly.
No one likes going for a yearly physical, but it’s a great way to learn if you’re as healthy as you think. Find time to run through your security program to make sure it’s still balanced. Have your team double-check critical controls and compliance with relevant standards or best practices. Get a second opinion once in a while. Find a third party that doesn’t have the context of your business and ask what they see. Good cybersecurity health means looking for even small indications something may have been missed. It doesn’t take long for that blind spot to put your whole effort at risk.
If You Do Get Sick…
Maintaining a resilient, trustworthy security system is complicated by new capabilities and a diverse threat landscape. By some estimates, more than 250,000 new pieces of malware are detected daily. We need to diagnose and treat new problems like the healthcare industry addresses constantly changing epidemiological challenges.
The healthcare system keeps up with new and mutating diseases because specialists focus on a single condition, determining the best means to identify and diagnose it. Another group focuses on treatment to quell the problem early. Others develop the specialized equipment that powers diagnosis and treatment, while hospitals and the entire healthcare ecosystem support patients.
If we understand our organizations and the threats we’re likely to face, we can begin to live the healthy, budgetable, and predictable corporate cybersecurity life we’ve sought for decades. By taking cyber health more seriously, we can cure the fundamental problems that have plagued the industry for the past 30 years and stop merely treating the symptoms and attacks.