Over the past month, we have all watched with dismay as the islands of the Caribbean and coasts of Texas and Florida were hit with devastating rains and high-speed winds. In the days leading up to the storms’ landfalls, some of the most talented scientific minds deployed astounding levels of technology to assess and communicate the severity of the approaching threats—despite the fact that severe weather is notoriously unpredictable, with inherent uncertainty that makes truly accurate assessment of the threat nearly impossible.
In the physical world—where threats collide against civic infrastructures, highway engineering, uneven home construction—understanding and fleeing impending destruction is often the best we can do in the moments of crises. We may not know exactly where the storms will hit so we work to avoid that damage because mitigating it seems impossible.
As I watched the storm predictions, I couldn’t help but see its similarities to cybersecurity threat prognosticators. But I also was plagued with a question I contemplate often: Why then are we not more focused on better protecting our assets than we are on what threatens them?
The answer that came to me was disappointing, though difficult to refute.
As a sector dedicated to securing strategic assets and enabling economic prosperity of millions, too many of us in the cybersecurity business have become cyber-threat weathermen, breathlessly describing the threat. Without doubt, there is real value in raising awareness and better informing people about gathering storms and potential threats—a decade ago, it was my old organization that added the term “advanced persistent threat” to our industry terminology as a way to differentiate threat from hackers. However, while threat assessment has grown, our overall risk posture remains deeply insufficient, with few meaningful leaps forward in countering the other dimensions of risk - consequences and vulnerabilities.
And not only are we deeply insufficient in terms of mitigating the cyber risks that are often as unpredictable as hurricanes at sea—but we also wildly, unknowingly minimize the potential severity and devastation that will occur when they hit. As much as some like to focus on threats, the fact is that most have little idea how significant the threats are—let alone, when and where they will be realized. Even within the inherent limitations of threat analysis, we are missing the true scope and bigger picture alike.
The strategic intentions of cyber adversaries out there—ideologically independent and state-sponsored alike—cannot and will not be relieved by commercial companies and individuals. Only governments with wizard-like technical resources, militaries and globally influential diplomatic and economic policies can change the behavior of whole countries. And sometimes, they still don’t succeed.
So—without minimizing the essential role of signature and information sharing; nor threat analysis’ importance in the overall risk equation of Vulnerability-times-Threat-times-Consequence—I hope to utilize this column to engage in the kind of cybersecurity dialogue and debate that will, hopefully, inspire all of us to move beyond the idea that the government will be able to provide accurate, precise, and well-timed warning to each of our networks; they have never promised that and it’s not practical. Because like a community bracing for a hurricane, what matters most is not the general knowledge we have about the storm approaching. Instead, it is the knowledge we have of our own internal infrastructures, plans and preparations—and how we have committed ourselves to bolstering our abilities to withstand the storms that will inevitably, increasingly and ever-more-destructively make landfall.
Original article was published in CSO Brandpost and can be found here.