The impact of cyberattacks on businesses is often easy to measure, and tech vendors are always spouting off different stats in order to show you why you need their latest tool (including yours truly). But one stat truly shook me this week:
Last year cyber crime cost businesses and individuals $445 Billion and cost 350,000 people their jobs.
The first part of that stat is easy to parse, even with all those zeroes. It was the second part that made all of this a bit more personal. People lose their jobs because of what is happening in cybersecurity. Now we don’t know all of the circumstances around these hundreds of individuals, and some may even deserved to lose their job due to negligence. What is the most interesting about this data point is the flip side of the same coin, and a headline we see each week, that we have a massive shortage of talent to fight these cyber attacks.
While we watch people lose their jobs we also demand that we produce more talented people to handle the ever-increasing force of cyber attackers. Nobody is arguing that we need more people, and more talented people, to fight this battle. But that is not going to happen today, tomorrow, or even this year. And while it would be great if we could just call a truce with the cyber attackers until we beef up our own side, the reality is we have to fight with what we’ve got. But how?
Technology to Enable, Not Disable
Years ago, sitting in a large conference room at a large oil & gas vendor it hit me hard. Security tech vendors had been coming into for years selling these people technology to ‘prevent and block’ attackers. Soon thereafter they came back to sell them a ‘next-generation’ way to again prevent and block attackers. And it was only a few more years after that they were back in that room to sell them new technology focused on ‘security analytics’, ‘operational insight’, and/or ‘threat intelligence’.
In every scenario this company not only bought the latest technology, they then also had to tack on professional services or even a FTE to run the technology. And each time it took their current team immense amount of time to ramp up on the new technology; a team that was constantly turning over due to the competitive nature of the cyber market (see above). And yet, attacks continue to get more persistent, more advanced, and more common.
It’s About People Using Technology, Not The Other Way Around
What struck me that day after dinner with the CISO was that all the technologies they had implemented were focused on the technology first. These companies followed a very classic model of seeing a problem and creating technology that could plug that hole. Think about a firewall, it literally builds a wall within technology, using technology. Even the SIEM technology they had implemented was focused primarily on all the different connectors from their system into other systems and collecting all that information onto ‘one pane of glass’. But what they had instead was one pain of glass because the technology-centric minds had forgotten a critical element; the people looking through the window.
One thing that humans do well is innovating in the face of danger. It’s kind of in our biology. And what we are seeing today in cybersecurity is the third phase of innovation, and it is centered on people:
Phase I: Prevent by building walls
Phase II: Detect by building walls and moats
Phase III: View, inspect, and respond by analyzing user behavior
The reason we need to center on people is not simply because of a shortage of skills, but because people are the problem. They are the attackers and the ones putting us in danger at the endpoint. Again, it’s human nature. The technologies that are going to win this battle, or at least allow us to survive, are the ones that were purpose-built to not only enhance the abilities of the person on the other side of that keyboard, but also focus on the behaviors of the users themselves, and not simply the technologies themselves.