What Is Cybersecurity?
By Ken Tola
Over the past six months, I have performed an exhaustive review of the major cybersecurity products on the market today. I have reviewed everything from endpoint protection systems (EPS) and security incident and event management (SIEM) to unified threat management (UTM) and cloud and Kubernetes security options. In all of these products, I discovered one important reality: Nobody defines cybersecurity correctly anymore.
The World Economic Forum reports that over $1 trillion in damages can be attributed to cybersecurity incidents in 2018. With this ever-growing risk, it’s vital to know exactly what cybersecurity should be.
Back in the late 1990s, the mere thought of disrupting operations was taboo, as operational efficiency was paramount to everything else. Then, more and more damage was caused by a range of successful attacks, and, insidiously, cybersecurity vendors chipped away at the original goal of digital protection. This goal was and still should be safe, stable operations.
I am not going to write about all of the issues modern cybersecurity products have actually stopping attacks – just take a look at the news. Instead, I want to focus on the disappearance of the stability of operations. From what I’ve seen, this started with the rise of “agentless” cybersecurity products.
The Isolation Fiasco
To be clear, “agentless” does not mean “zero-touch.” In fact, many of these products do place appliances in line with ongoing communications. They may also redirect data to cloud-based operations. By definition, however, these agentless options never place any sort of agent on a device.
But what happens when an exploit occurs? Isolation — and that’s it. This new wave of products opts to resolve issues by isolating either the exploited device or the entire network on which that device resides. While this isolation is acceptable from a modern cybersecurity perspective, it is often a disaster from an operational perspective. The exploited devices are rarely somebody’s phone or laptop. Instead, they’re typically central servers or devices in a critical path. Taking those devices offline takes down operations, and operational downtime costs quite often exceed any damage elicited by an actual hack.
According to ITIC, 86% of firms say one hour of downtime costs $300,000 or more, and 34% of companies say one hour of downtime results in a loss of over $1 million. Another common isolation target is a data center, where the agentless approach of taking everything offline typically costs $300,000 per hour. Imagine being offline for a day and receiving a bill for over $7 million. That is just due to the cybersecurity response.
In 2016, Deloitte released a report that focused on the hidden costs of a cybersecurity incident for a large health insurer. The approach of isolating the hack resulted in $30 million in immediate operational downtime and a loss of $830 million in unsupported contracts. Isolation violates the foundations of safe, secure operations. Cybersecurity products that ignore this concept are causing significant harm.
Stop Blaming Employees
In their 2019 cybercrime study, Accenture notes that the top concern for cybersecurity breaches is employees. Many organizations believe their employees are the reason why hackers are so successful.
If cybersecurity is supposed to ensure safe, stable operations, then why is everybody blaming employees? Employees need protection — often from themselves — and that that onus is on cybersecurity solutions. We can’t expect non-cybersecurity experts to constantly fight expert hackers. Nobody demands that employees break down emails into tiny blocks of data, manually transmit that information over a wired line to a recipient and then rebuild the original email. So why expect people to somehow safeguard that information?
Safe, secure operations have to keep everybody safe, stop attacks before they cause damage and pace businesses and their employees inside that bubble of protection. Blaming employees for cybersecurity failures and taking down operations due to an inability to actually solve a problem just does not work.
Organization For Now
Currently, most enterprises purchase one-off products for specific needs, with many running 80 or more cybersecurity products at the same time. Despite all of these products, most enterprises have no idea if what they purchased is working.
We need solutions that stop disrupting operations while still protecting employees. We need services that proactively short-circuit exploits and can change and adapt without forcing businesses to modify how they operate. And yet, those products and services are still not on the market in any demonstrable manner — so what can you do today?
Enterprises need to consolidate their security solutions, which is now becoming an option with the new wave of security orchestration, automation and response (SOAR) products, for which there are many providers on the market. While SOAR products are not the end goal of invisible adaptation or artificial intelligence-enabled remediation, these products are effective at centrally visualizing your current protection and enabling as many features as possible within those products.
Best of all, SOAR products will validate the work of one product with the reporting of another and provide real answers when attempting to discern resolutions.
SOAR is far from the target end goal of ubiquitous cybersecurity that remains out of sight and out of mind, but until those solutions reach maturity, at least understanding your problems at scale is a step in the right direction.