When a code red—or even a code yellow—hits an organisation, security teams are among the first to know. They troubleshoot. They firefight. They keep networks and other corporate assets secure. But when it comes to innovation and digital transformation, security professionals don’t always get a seat at the table.
Security organisations can—and should—be leading the charge to tackle the riskiest problems in their organisations head-on. After all, they are the most qualified to do it. However, an ingrained culture of inertia and blame-shifting has gobbled up innovation. Thankfully, things are beginning to change.
After spending more than 25 years in the technology industry, I have observed a cultural paradigm of learned insecurity when it comes to risk management and information security controls. A philosophy of “not if you get breached, but when” has spread throughout the industry like an infection, and the big security players continue to patch the problems with ineffective, after-the-fact treatments. Despite major breaches making headlines every week, the wider industry hasn’t yet been compelled to innovate and solve the root cause of the problem.
Recent research from Microsoft has suggested cyber security could cost Australian businesses $29 billion each year in direct costs alone—some two per cent of the country’s GDP. Even though this amount is just the tip of the iceberg when it comes to the economic impact of information security, it appears Australian businesses are still stalled by fear. Microsoft’s research also found that 66 percent of local organisations have not upgraded their IT systems as part of other digital transformation initiatives based on a misguided belief that such upgrades could increase their exposure to cyber threats.
There is clearly an education problem when it comes to digital transformation and cyber—and the security industry isn’t stepping up to help.
Embracing suboptimal environments
A famous experiment from the sixties evaluated the behaviour of five monkeys placed in a cage that contained a ladder with bananas at the top. The monkeys were deterred from climbing the ladder, and in the end, no monkey was brave enough to try for fear of being beaten up by their comrades. They accepted what happened in the cage, and there was no hope of securing bananas for anyone.
Today, the security industry is equally ambivalent. The major players have largely been resistant to reach for the proverbial banana because life has been more or less peaceful in the cage.
By and large, many information security companies profit from their own failures. After the devastating effect of global cyberattacks like WannaCry and NotPetya, the stocks of the security companies whose solutions failed to protect their customers actually rose. It seems crazy that a USD$93 billion industry built upon providing secure computing should expect to profit from data breaches and cyberattacks.
From shifting blame to shifting gears
As we’ve seen with breaches like PageUp and Ticketmaster, incredible amounts of time and money are spent forensically investigating cyber security incidents: Who did it? Why? What did they want? What did they manage to get? While it’s important to understand the effects on sensitive business and customer data, and to attempt to remediate any losses, incident attribution is actually a distraction.
It doesn’t really matter who hacked you: CISOs have no ability to affect threat actors, they only have control over their organisation’s vulnerability to attack by identifying failed controls and deploying better ones.
Exacerbating the problem are established endpoint security vendors continue to offer trusting customers signature-based security solutions with after-the-fact patches. They don’t strive for proactive, artificial intelligence-based security that prevents sophisticated attackers instead of responding to them.
But of course, it’s not all doom and gloom. As prefaced by the ASD’s Director General Mike Burgess at a Senate Estimates hearing in May, the broader conversation in Australia is shifting from the outdated concept of compliance to the more forward-thinking notion of risk management. The government has acknowledged that innovation is the key to securing the nation’s future, and, with legislation including the Notifiable Data Breaches Scheme and the Security of Critical Infrastructure Act, demonstrated that cyber is being taken seriously as a national concern.
It’s time to take out the rubbish
So how should businesses fall into line, embrace the digital transformation process, and step up their information security controls?
In another famous experiment that went viral in 2012, two Capuchin monkeys were asked to hand over a small stone in exchange for food. One was given a piece of cucumber and the other was given a grape. The first monkey accepted and ate the piece of cucumber without complaint, but noticed his companion received a far tastier treat. The second time he received a piece of cucumber in exchange for his stone he went mad and threw it back in the scientist’s face.
Monkeys are smart enough to recognise the difference between what they have and something else that’s better. Businesses shouldn’t simply accept a substandard security product that doesn’t solve the problem it was purchased to protect against. We can do better.
Over the past five years, new players have been entering the security market offering solutions built on artificial intelligence and machine learning—technologies that are proven to be more than 99 per cent effective in preventing attacks.
If your organisation uses an old, ineffective security product, challenge that paradigm by throwing it back in the vendor’s face and switch to something better. Support a new culture of innovation and perpetual prevention that can actually succeed in protecting your business and your customers.