- CPA to Cybersecurity
- Posts
- Why Cybersecurity is Hard
Why Cybersecurity is Hard
Steve McMichael
September 09, 2023
Table of Contents
No slouches
This past summer, 3 of the big 4 accounting firms were in the headlines for cyber incidents. These are large, well resourced companies, full of risk professionals including some that provide security consulting services. So how is it that that even these experts can get popped?
I’ve worked closely with all of the big four firms in the past 7 years. I have many colleagues, former classmates and friends at these companies. And let me tell you: they’re no slouches.
That it can happen to them, and by the way it's also happening to tech giants with 2 trillion dollar market caps, is a real life case study of some security cliches:
We're all targets
There's only two types of companies: the ones that know they've been breached and the ones that don't
It's not if but when
Defenders needs to be flawless, attackers only need to get it right once
And while these are cliches to the security community, I find that they're still not well known or understood outside that group. So for a generalist audience, in this essay I walk through 10 reasons that cybersecurity is hard.
In addition to creating awareness, I’m also hoping this helps eliminate the stigma that if you get hacked you're a bad defender. Not true. Even a great security program can be hit by an Apex predator.
Its not good enough to only IDENTIFY and PROTECT, you also need to be able to DETECT, RESPOND and RECOVER.
Here are 10 reasons cybersecurity is hard:
#1. Technology is Everywhere
Every company is a software company. We have a daisy chain of sensors and servers and endpoints, on the edge and in the cloud, making our attack surface in cyberspace large and growing. Scope is big.
#2. Technology is Inherently Flawed
I like Yuri’s summary here. And I like that he's asking the question: “why is security hard?”
All systems fail and all systems are vulnerable. Since 1988, 200,000 vulnerabilities have been discovered in software. And of course that’s just what’s reported, many are undiscovered O-days.
Check out CISA’s known exploited vulnerabilities database. As at the date of my video it had 161 vendors with 981 vulns. And these vendors are recognizable brand names we depend on day in and day out.
And the problem here isn’t only that there’s bugs in code and humans are fallible. It’s that the Internet was first built on the assumption that its users could trust each other. It’s protocols were designed to communicate between known parties. It was the opposite of zero trust.
And with any system depending on an element of trust, there’s an opportunity for misuse by threat actors.
#3. Technology is Rarely Secure by Default
I like the example of ISP modem/routers for this. In February the NSA provided guidance for securing home networks, and it include a recommendation to use a personally owned routing device that connects to your ISP provided modem/router.
Why can’t I just trust the appliance my ISP gave me? Because it’s built to be plug and play frictionless for the end user, to not be too expensive, to compete with other ISPs and to reduce costly returns and calls to tech support. This becomes a short term gain for long term pain situation, however, when consumers get hacked because the router isn’t configured to be secure. All of the windows are open and none of the doors are locked.
Next there’s the White House in July, launching it’s cybersecurity labelling program to protect consumers. It picks on home modems again, saying:
we need an immediate effort to help people with consumer grade routers. These are high risk and if compromised can be used to eavesdrop, steal passwords and attack other devices on the network.
In April we had American and 5 eyes country agencies collaborating on this problem. It says in the headline:
The idea is to have devices secure out of the box, and to make consumers acutely aware when they deviate from safe default settings.
But it’s hard to blame consumers and businesses from having insecure configurations, because:
#4. Technology is Complicated
At last count there are 3,500 security vendors. Here’s an eye chart of them:
And here’s what those products from 3,500 vendors are doing:
They’re providing security for Data, applications, endpoints, networks and perimeters
The do it on prem, in the public cloud, in the private cloud
And they do it during each phase of the Cybersecurity Framework: Identify, Protect, Detect, Respond and Recover
It’s a fan, It’s defense in depth and it has may complicated layers.
#5. Cyber is a Dynamic Threat, Not Static
Fire Doesn’t Innovate talks about how fire used to be a huge problem for society, for example there was the Great Chicago Fire that killed 300 people and wiped out 17,000 buildings.
But then over the decades, people were able to study fire, make rules, regulations, fire departments, smoke detectors, and awareness training programs to stop drop and roll.
And these allowed society to safely bring this dangerous element into all of our homes, so that we could benefit from it, to stay warm and cook our food.
But the risk of fire is easier to manage than cyber risk, because it’s static. It always wants the same three things: fuel, heat and oxygen. That’s it. And fire isn’t a conscious being, that can innovate to bypass the controls we put in place
Cyber, on the other hand, is an arms race of innovation, for complicated technology, between attackers and defenders. As a result of this race, the landscape is constantly changing. And cybersecurity professionals need to be continuously learning
#6. Cyber is a Silent Killer
Unlike when you get your car stolen, when your digital identity is stolen, or when hackers get into your network, often times you don’t know it.
There’s no smashed window or missing car. Your passwords, social insurance number and emails are still there where you left them.
But the crooks now have a copy or access to these digital, intangible assets. And they might wait months or years to weaponize them.
For example some victims of email compromise, had hackers monitoring their emails for months or years, until the day came when there was a big online payment: like a downpayment on a house, selling a business or receiving an inheritance. And they only found out they were breached when the money never came. It was stolen by patient hackers.
#7. Economics Drive More Actors and Capability
The cost of cybercrime went from 3 trillion dollars in 2015 to 6 trillion in 2021 and is forecasted to get to 10.5 trillion by 2025 according to cybersecurity ventures. I’ve seen that number get disputed but regardless of how many zeros are involved I think the industry can agree that the economics are growing.
Here’s Night Dragon with what happened in 2022, saying that there was $6 trillion in losses from cyberattacks vs a $400B market for cybersecurity vendors.
#8. Early Innings: The Science Isn’t Settled
Here’s Night Dragon again with evolution of the threat:
It’s saying that the danger level of cyber threats was low in the 90s with hacktivisim, and then rose with cybercrime, ransomware and terrorism. It’s chart is from 2018 and certainly in the past 5 years since then, this danger trend has continued to ramp.
A key takeaway here is that we’re in early innings. The cyber threat is fairly new and the science isn’t settled. And that’s where Daniel Miessler from Unsupervised Learning is saying that in this early state, security is alchemy, unlike accounting which is chemistry. We don’t have our arms around what the inputs and outputs are yet in cyber, to be secure.
#9. There is a Skills Shortage
This rapidly growing field will have a projected 3.5 million unfilled jobs by 2025. Why is that?
Hiring managers want people with experience
New entrants don’t have experience
It’s the chicken and the egg.
I think a lot of people in business and accounting can fill these seats in GRC roles, but they don’t know it. They think you need a computer science degree, which is a myth.
#10. What Did I Miss?
What did I get wrong or right? Please let me know in a comment.
I’ve only been doing this for 3 years and I want to keep learning.
Once we have the problem statement defined of why cybersecurity is hard, we can start to solve it.