I thought it would be appropriate to start off 2015 by adding my voice to a rising chorus from advisors, consultants and others in the cybersecurity industry with a short and simple message. We as an industry cannot help you if you’re not willing to help yourselves. And helping yourselves means you have to do (at the very least) the minimum required to secure yourselves from the most common types of cybersecurity threats and attacks.
Now this may seem to be an obvious comment and you may be wondering “why is he wasting my time telling me this”. I’m taking the time to do so because frankly many of you do not appear to be listening. It may be time to be a bit more blunt and direct. There are and have been reams of research and guidance written and delivered over the years that outline the basic principles and practices to establish cybersecurity strategy, governance, planning, management and operations. Descriptions of these steps to core competence can be found not only in Gartner research but from many other sources. Establishing this core competence for many of you does not require large or expensive purchases of technology and services, nor does it require major shifts or changes in process or organization. But it DOES require a level of discipline, structure and cultural change regarding where cybersecurity fits within your organization and the priority that you give changes that must and should occur. This core competence does require a level of communication and awareness that is apparently not working in its current form of delivery. It requires a level of coordination with service providers, supply chain partners and external parties that does not appear to be taking place.
Let me be as clear as I can be: unless you take these first, basic steps, we cannot help you. As one recent publication reported bluntly, “you can’t fix stupid”. While it is not my intention to insult some of our readers, I need for this core idea to take root– if you’re not willing to establish a basic cybersecurity foundation to counter the most common and predictable threats facing you, no expenditure on technology, process change, organizational change, or outsourcing will solve the more complex and challenging cybersecurity threats that are arising today.
To me, this is the biggest issue today in cybersecurity. The sophistication and volume of attacks are increasing. We can no longer depend upon attackers to simply “reuse” old attack methods and old malware slightly modified to mount new attacks. Operational technology (OT) systems and the Internet of Things (IoT) are using new ideas and approaches along with IT to deliver their services, and those that want to mount attacks on these targets are using new ideas and approaches to deny, disrupt and destroy those services.
If we continue to have to address ALL levels of cybersecurity maturity in an organization, we will fall further and further behind in providing a more united front against these types of attacks. We MUST grow up. We must have a foundation upon which to build a more robust and sophisticated approach to more robust and sophisticated cybersecurity attacks. Having that foundation should be a given. Without it, attackers don’t have to be sophisticated in their approach. They can continue to use the tried and true methods that have worked for decades now to succeed.
Make a New Year’s resolution that you will establish basic cybersecurity principles and practice in your organization. Take the necessary steps to prioritize cybersecurity discipline and DO it. Time is running out, and we have bigger things to address than stupid cybersecurity mistakes. If you haven’t yet modified your risk equation to take into account what is happening in cybersecurity, now’s the time to do it.