Defeatism is Killing Cyber Security Innovation

The ICO bombshell

Data breaches are coming thick and fast and for so long that they have become the new norm. Information Commissioner’s Office (ICO) has by issuing extremely large fines to British Airways and Marriot Hotels, indicated to the private sector that we must take personal information privacy more seriously.

Will the ICO’s approach work? I don’t think so. Across the private sector, the cyber security conversation goes something like this:

Scenes like this explain why the global cybersecurity market is set to grow from its current market value of more than $120 billion to over $300 billion by 2024. It also explains why cyber attacks are more frequent, widespread and damaging than ever before. Cyber-crime damages which cost $3 trillion in 2017, are predicted to double by 2022, representing the greatest transfer in wealth in history. We are looking at a wild, unbridled, stallion kicking up dust, yet because it is contained within a paddock, we delude ourselves by believing we have the animal under control. Here are 3 reasons why we don’t:

• failure to acknowledge that the threats faced by the private sector are converging with those faced by the public sector
• excessive reliance on regulation
• failure of free market economics to deliver adequate cyber security.

Converging private and public sector cyber threat

“If businesses are facing the same threat as governments, why do they not protect themselves in the same way?”

Nation states have been spying on each other ever since the internet was invented nearly 40 years ago and during this time they have also committed a lot of resources to protecting the security of their information assets. 40 years ago, businesses worried about employees leaving computers on trains and occasional attacks by hackers operating from stuffy bedrooms. Today, when both the public and private sectors face threats from nation states and structured criminal groups with nation state capability, it begs the question, “If businesses are facing the same threat as governments, why do they not protect themselves in the same way?”

Cyber security is a technology area where peculiarly, the private sector can learn a lot from how secure parts of the public sector defends itself.

Regulating cyber security

Cyber security regulation will be more effective if we are able to overcome the following regulatory tendencies:

• we allow parties not responsible for managing risk to define the standards: standards set by consensus reflect what the decision-making majority within a standards group believes to be adequate, rather than what is appropriate for an individual group. Excessive emphasis on codes of compliance rather than responsibility also gives rise to complacency and raises the risk of failure. Standards are also notoriously slow to agree and in a dynamically changing threat environment, are often obsolete before they are adopted. If CISOs are expected to fall on their sword in the event of a breach, they should be given the freedom to choose the standards they wish to uphold.
• we support rules over discretion: a tick box approach to security saps resources from delivering real security. How many organisations have purchased technology or implemented processes to please auditors? Those responsible for security should be judged by their ability to create and implement a rational, coherent security strategy that reflects the threats they face, the groups’s appetite and capacity to absorb risk, rather than their willingness to adhere to rules.
• we support complexity over simplicity which makes cyber security worse: best practice says that breaches are inevitable and we need ‘protection-in-depth’ security. This is defeatism. Implicit in this approach is a belief that the security technologies we use, can’t be fully trusted, which leads us to adopt multi-layered IT security architectures of byzantine complexity that make us even more vulnerable to attack. We should instead support simplicity, based on high-assurance technologies.

Free market economics in cyber security is not delivering the security quality we need

We crave the illusion of certainty more than we do truth, which is why we need innovation.

The root of the problem is that no one knows how well cyber security products work because the IT security is not objectively tested. Too often, product reviews focus on features, documentation, value for money, performance, support and ease of use. Security isn’t measured at all. Testing results are comparative rather than absolute. They focus on differentiating products rather than their ability to address specific threats and as a consequence, they do not support risk-based decision-making, since it is not possible to calculate residual risk. Buyers are forced to rely on the experience of their peers or worse: the wild claims of vendors. It is not the best product that wins, but the best marketed product, which means that inadequate products continue to sell and the market continues to fail. We crave the illusion of certainty more than we do truth, which is why we need innovation.

Overcoming defeatism with innovation

Unlike governments and state-run organisations, businesses all too often accept that being hacked is inevitable. They spend a significant amount on services to detect breaches and recover from them, without considering that they now face similar threats to those the state has faced for a number of years, and that a change in approach is needed to meet these challenges.

What if a customer could see exactly how effective their security provider is? That’s the level of transparency and control Talion gives our clients, not only can you measure our effectiveness at a dashboard level but you can collaborate jointly with us on a security incident or even view the same data as our analysts in the SOC. There’s no mysterious cloak obscuring the client’s view, we will explain and show you, exactly how we are finding and eliminating threats on your network.