I’ve gotten my hands on a copy of the new hotness in the cybersecurity community, Tribe of Hackers by Marcus J. Carey & Jennifer Jin. This book is a compendium of cybersecurity and hacker luminaries answering a battery of questions about themselves, cybersecurity in general, and advice for aspirants to the industry. I loved the idea for this. And I figured I would go through a self-exercise related to the book by going through the questions myself. I wanted to compose answers before reading any other responses in the book, and then later after reading the book, go back and see if any of my answers can or should be adjusted based on possible shifted perspectives. This might take quite some time, as this book is bigger than I expected!
Since the questions are sometimes weighty, and I tend to be somewhat verbose, I also figure to break the questions up into logical groupings though maintaining their original order.
1. If there is one myth that you could debunk in cybersecurity, what would it be?
There are two myths that I tend to poke at with a long stick during quiet moments. One is the idea posited by many a marketing team that some tool or process is absolute and will provide any sort of “perfect” security (while their security engineers say there are no silver bullets). Very few things are so absolute, and those that seem to be, tend to be smaller in scope. Segmentation, binary yes/no access, walls.
The other is that we, as information security defenders, can “win.” There is no winning in a sense that the attackers will be beaten and we can ride off into the sunset; there is no checkmate or surrender. This dance is going to go on forever, and we do the best we can to secure the things we have control over, and hopefully that is enough for our constituents. Never get disheartened that this fight seems to be never-ending, because that’s exactly what it is. The war won’t end, but we can win battles. Embrace that, and play the game with enthusiasm and positivity.
2. What is one of the biggest-bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?
I imagine answers to this reflect where someone’s mind is, tactical or strategic. Strategic answers are a little easier, since it may mean doing multiple tactical things as part of that initiative. So, I’ll stick tactical. Every few years I post a blog about the top 10 things I tell small/medium businesses that they should focus on to improve or start tackling cybersecurity. Pretty much any of those items is a good value option.
For this open-ended question, though, three things bubble up to the tap: 1) Know what you are responsible for. Keep an inventory or systems, data, accounts, and software. Defend accordingly. 2) Patch management. Just. Patch. The Things. 3) Least privilege. And it is this last one that I think may be the more important for this particular question, for me today. Limit privileged access, limit privileges on workstations, limit access to data. Attackers can compromise people and systems, but we need to make them work harder and longer to get to the things they want, which in turn will give defenders more chances to detect them.
3. How is it that cybersecurity spending is increasing but breaches are still happening?
Security always follows insecurity. It’s just the nature of the beast. As our technology grows more ubiquitous with life, it also becomes more complex, and thus fails complexly. Technology, the internet, and cyber-things are still in a rapid growth phase, and are showing no signs of slowing down to allow us to catch our breath. And so too are cyber attackers. And let’s face it. If no one is ever going to break into your house, there’s really no need to maintain security. Insecurity fuels this industry and our jobs. It just goes back to that never-ending dance we do.