John Pescatore

If you look at death rates, after heart and lung diseases and cancer, the leading cause of death in the US is accidents.

If you look at cybersecurity incidents, the leading cause is essentially accidents. Sloppy system administration, users accidentally sending out critical information, bad choices that are made to take known unacceptable risks, etc.  Most of the deaths due to diseases are due to lifestyle choices made by people, same thing with cybersecurity.

Cybersecurity is much more like preventing long term damage to your house than it is tornado-proofing your house. It is keeping up with the regular maintenance, checking at night that the doors and windows are locked, making sure the gutters aren’t clogged, changing the furnace filters regularly – these are things that avoid the most common and most expensive negative events in home ownership. More than 90% of security incidents are due to either users making mistakes or system administrators making mistakes or just plain sloppiness.

Successful security programs are really about dealing with that, not having some super duper wizard-like capability or magically changing human behavior. That’s why all the hype around a US cyber security czar position will end up to just lead to more hype and posturing. Increasing cybersecurity is really an operational block and tackling issue, not a lack of visibility or policy or information sharing. The US needs an Information Security Program Office, not yet another czar.

I went through this in “Towards a National Cybersecurity Strategy” for those of you who help pay my salary.