Where cybersecurity misses the mark, yet again

Esoteric cyber threats posed by countries like Iran and North Korea may grab the headlines, but distract from the real security issues, argues Tanium's Orion Hindawi

In recent weeks, organisations have been warned to be on the look-out for imminent Iranian cyber attacks. And many vendors have not been slow to come out with their own research dissecting the technical tradecraft of Iranian threat groups.

The US Department of Homeland Security warning of a looming cyber threat has been accompanied by social media full of angst - and advice.

For most organisations, this discussion has no practical value. It is, in fact, a distraction.

Indeed, it's symptomatic of a cybersecurity industry that has consistently failed its customers. It may be true that there is a greater likelihood of attack from Iran. But that won't affect the priorities of most organisations when it comes to cybersecurity.

Most organisations are far more likely to be compromised via a long-known vulnerability than to be targeted in any nation-state attack

For more than 10 years, Verizon's Data Breach Investigations Report, the most comprehensive review of security breaches globally, has consistently shown that most organisations are far more likely to be compromised via a long-known vulnerability than to be targeted in any nation-state attack taking advantage of sophisticated ‘zero-day' mechanisms.

This makes sense. Why would anyone - an Iranian threat group or anyone else - exert additional effort when organisations provide much easier flaws to exploit?

Accordingly, year after year, Verizon's recommendations focus on the fundamentals of cybersecurity: maintain a complete inventory of assets, manage credentials and enable two-factor authentication, patch assets for known vulnerabilities, and so on.

But the message from much of the cybersecurity industry focuses on more esoteric threats, such as ultra-sophisticated nation-state adversaries, to the detriment of implementing bread-and-butter controls that provably minimise risk regardless of threat actor.

The state-of-the-art when it comes to cyber risk management is embarrassingly rudimentary: a human walking around, asking questions about each control

Today, no consensus exists to determine cyber risk measurement, and a large portion of the more than $100 billion annual spending in cybersecurity is spent on solving edge cases that, while exciting to think about, aren't representative of the real risks companies face.

The lack of consensus on truly measuring cyber risk further drives this behaviour. Companies today simply cannot determine their true exposure - similar to a banking system unable to evaluate the creditworthiness of borrowers.

To be sure, there's been progress made in the recent past. The National Institutes of Standards and Technology (NIST) promulgated a widely adopted framework for describing security controls. While it's not the first cybersecurity or IT risk framework, it has become the de facto standard in the US.

But a common language is not the same as risk management. It's like having Generally Accepted Accounting Principles (GAAP) and leaving it at that. What's missing today is an intellectual bridge between a framework like NIST and true cyber risk management.

Companies today simply cannot determine their true exposure

The state-of-the-art when it comes to cyber risk management is embarrassingly rudimentary: a human walking around, asking questions about each control, characterising those controls along a scale, and ultimately providing a composite score.

It's a revealing dissonance: an industry that evangelizes machine learning and artificial intelligence can only measure its own efficacy in what amounts to a checkbox exercise. It's no wonder that boards of directors remain unimpressed by cyber risk reporting.

Undoubtedly, there are challenges associated with constructing this intellectual bridge. Limited historical data exists regarding cyber incidents. Cyber risk is fat-tailed, highly correlated and inter-dependent: each organisation's maturity affects the risks associated with its counterparties.

Perhaps most vexing of all, cyber risk evolves constantly with technological progress. Historical data about PC-centric security controls in the early 2000s isn't helpful in assessing the current bring-your-own-device corporate environment increasingly blanketed in IoT.

But the failures of risk management in other industries are instructive. Complexity leads to risk assessment failures. Cyber risk measurement - with mountains of data - could easily fall victim.

Rather, cyber risk management needs easy-to-calculate values that have clear associated prescriptive guidance for risk mitigation, like capital requirements in banking. Maybe then organisations can finally get a sense of the return on investment on their annual contributions of $100 billion+ to the cybersecurity industry.

Orion Hindawi is CEO and co-founder of Tanium, a unified endpoint management and security company based in Emeryville, California