Cybersecurity Is Dead — What Now?

Published
March 10, 2023

2 min read

Sean Steele is co-founder and managing
partner at Infolock.

In This Article

Join Our Newsletter

Follow Us

Tags

Bad Guys 1, World 0


The past few months have exposed what many of us have been anticipating for the past decade: widespread, successful cyber attacks aimed at disrupting critical infrastructure, supply chains, basic systems of food production, transportation, banking, energy and health care delivery.

It’s a bleak picture:

  • Timed for the Fourth of July holiday weekend, the supply chain ransomware attack by Russian hacker syndicate REvil disrupted operations at more than 200 U.S. companies.
  • Computer manufacturer Acer’s recent $50 million data ransom demand from cybercriminals (one of the highest demands to date) will be one of many such high-dollar data hostage scenarios this year.
  • An Eastern European group known as Ryuk has hit at least 235 healthcare facilities in recent months, raking in more than $100 million, suspending some surgeries and delaying medical care, according to the Wall Street Journal (registration required).
  • The Guardian recently reported that the hack of the Colonial Pipeline in May 2021 was just one of a series of cyberattacks worldwide, targeting Brazilian-headquartered JBS (the world’s largest meat processor) and disrupting the global meat marketclosing schools in Iowa and disrupting health care in Ireland.

We need to stop pretending the cybersecurity “war” is ongoing: It’s not. The bad guys have won. Cybersecurity as we know it has failed. At best, we’re attempting an organized retreat in a lopsided conflict with an enemy we can’t see or stop. At worst, we’re completely overrun and occupied — and we just can’t admit it.

What does our collective defeat look like? When cybercrime includes nation-state subsidies and logistical support, supply chains, subcontractors, multitier competitive differentiation, integrated marketing, sophisticated revenue sharing, reusable tooling, robust technical support and professional recruiting and career development programs — it’s no longer accurate to call it “cybercrime.” It’s a global industry.

At The Inflection Point


What’s at stake? For starters, the post-pandemic economic recovery. Concerns about supply chains and inflation will pale in comparison to panic over the integrity of our banking, health care, transportation and energy infrastructure. The scope and scale of the crisis transcend geo and domestic politics, national borders, class distinctions and ideologies, and it’s difficult to overstate.

Things will likely get worse in the final six months of 2021. Why? Because the leadership mistakes that have enabled the cybercrime crisis — decades in the making — can’t be fixed quickly or easily. In the 20 years between the late 1990s and the late 2010s, the cybersecurity industry, politicians, public policymakers, and organizational leaders embraced growth over resilience, compliance over security and technology over people:

We focused on externalities like attackers, threats and zero-day exploits, instead of internal, controllable items, like data protection, access controls and identity management.

  • We worked to comply with lists of regulatory requirements (i.e., HIPAA, FISMA, SOX, GLBA, PCI-DSS) instead of securing our highest value, most-at-risk organizational assets.
  • We attempted to secure everything the same way, instead of differentiating and prioritizing assets, risks and protection mechanisms.
  • We invited security product vendors — many of them startup companies — and the venture capitalists and private equity firms who invested in them — to dictate our cybersecurity priorities.

Gartner projected that in 2020, roughly $123.8 billion would be spent on security for applications, networks, the cloud and infrastructure protection.

Promises Made, Promises Broken


The promise of strong, resilient networks and endpoints, next-generation, automated threat detection and response and AI-driven security intelligence hasn’t been realized. The reality is organized cartels of bad actors have an almost unassailable advantage. Many are located in criminal sanctuaries that don’t prosecute or disrupt them. They fight in an asymmetric conflict against unprepared organizations who principally rely on technology solutions to defend against attacks. They focus their attacks on human beings who are notoriously difficult to educate, train and protect.

In fact, it only takes one click from one user on one bad email link to compromise many organizations’ digital assets. As the well-worn (but controversial) cybersecurity saying goes: “Defenders have to be right 100% of the time and attackers have to be right once.”

Admitting Is The First Step


How do we turn the tide and develop a sustainable defense that stands up to the future? In short: We stop playing the traditional cybersecurity game. We pick up our ball and walk off the court. These four ideas are critical:

  1. Stop pretending cybersecurity can “win.”
  2. Stop obsessing over attackers and attacks.
  3. Stop purchasing technology to fix our problems.
  4. Develop real resilience in our data core.

Data, Data, Data


We need to stop playing offense and focus on defense, true defense, in-depth. The other pieces of the puzzle we focused on in the past can’t be easily or adequately secured (threats/attackers, human behavior, networks); change too much, too often; or are largely outside our control (endpoints, mobile devices, cloud infrastructure); and/or aren’t intrinsically valuable (servers, applications, computing resources).

We must protect the target of attacks — our sensitive data — and build up and around that asset:

  1. Figure out what data we have.
  2. Assess our data resilience.
  3. Embark on a hearts-and-minds campaign.

We must stop looking for easy answers. Until we reshape our priorities and admit the cybersecurity “war” is lost we will never move past the current crisis and begin rebuilding.

Related Posts

Flip The Script: Let The Attackers “Win”
What does it look like when organizations do their data security and risk management homework upfront,

2 min read

April 5, 2023

Cybersecurity Is Dead — What Now?
We must stop insisting cybersecurity can "win" the war against cybercriminals, because we've already lost.

2 min read

March 10, 2023

4 In 4: 4 Insights From My First 4 Months At Infolock
After four months on the job at Infolock, I want to let prospective customers and employees know.

2 min read

April 7, 2021

Challenge The Status Quo
Quick fix technology solutions aren't a substaitute for hard work and careful planning.

2 min read

January 16, 2023

Data Breach Cynicism Takes Hold
In more than 20 years of working in the IT security industry, I’ve helped literally hundreds of companies

2 min read

November 14, 2022

Ciso, We Have A Problem
Since 2001, I’ve worked with hundreds – even thousands – of infosec practitioners: analysts, engineers, technicians,

2 min read

August 17, 2022

It’s The Data, Stupid!
Data is notoriously messy. It’s clear most organizations have lost control of it – or, never had control of it in the first place.

2 min read

June 26, 2022

Peak Vendor: Reclaiming Infosec Priorities And Budgets In The Age Of Big Marketing
I’m not sure when the bubble began. Three years ago? Five? Security needs

2 min read

May 3, 2023

Banishing The Backseat Drivers
If you’re in security, you know how

2 min read

March 30, 2022

Vendors Know You Too Well
Could you imagine walking into a car dealership without:

2 min read

January 15, 2022