This is a tale of what
should be, but never seems to be, a strong lesson learned.Every October, our
industry “floods the zone” with best practices to promote National Cybersecurity Awareness Month (NCSAM). While noble in concept – setting aside an
entire month to reflect and otherwise share deep thoughts about what is and
what is not working to defend our digital assets – a deluge of vendors has
devalued the occasion by turning it into a promotional platform that does
nothing to truly help enterprises, their users and consumers.It is time we discuss an
uncomfortable truth: For too long, our industry has perpetuated what can
candidly be described as a ruse. Working quickly and even feverishly to satisfy
economic interests over security priorities, companies sell software, which is inherently
flawed, then subject users to a continuous cycle of updates that never really moves
the needle in terms of protection.
This has emerged as the
norm for us. We inundate customers with software products and a ceaseless
cadence of updates, and, then, during October, lecture them about patches and
passwords and appropriate cyber hygiene while never actually resolving the
issue at its heart. This is hurting our industry, and we may eventually cripple
our reputation if nothing changes.But there is hope, and
what most people don’t realize is that a better way is emerging, if we can look
past the myths and focus on a more positive and practical path forward.So how did we get to
this place? Because software plays are easy to pull off quickly, creating a
fragmented marketplace of carny barkers all claiming to fix everything. But
proprietary architectures and code are not ironclad. Yes, we love the
flexibility of software. We can make it do amazing things! But we are the
modern-day Icarus, reaching higher and higher on the wings of innovation until
we fly too close to the sun. In reality, the astonishing flexibility of
software makes it vulnerable, saddling us with complex systems in which simple
bugs can lead to a vast array of compromises.That is because
computers use processors (known by computer scientists as “Turing machines”) to
run different kinds of software with different applications. Sophisticated
hacking is most often about taking advantage of the adaptability of those
Turing machines by convincing them to run malicious applications which lead to
breaches, ransomware and additional unwelcome consequences. In other words, the
power that allows us to “do something great” with software simply by supplying
it with the right instructions allows attackers to spot an unexpected behavior
quirk and then give the software their own nefarious instructions. Mayhem
ensues.Still, we continue to
offer point updates to end users to “make everything better.” And we peel off
the pages of the calendar until we get to October, when we can trot out some
“new” best practices (new, that is, if we’ve thought of anything fresh since
the prior October). But, remove the façade and you have a large sea of security
vendors trying to stop things from getting too bad, too fast.False hope dispensed
ubiquitously during NCSAM and similarly staged events
can only last so long. Enterprises are reliant on
security vendors to mitigate a level of vulnerability for their end users, who
expect top-notch protection. But it’s a complete falsehood to believe that enterprises
will meet these expectations if the vendors keep going down the current path.So, let’s chart a new
path forward by next October. Vendors should not promote cyber hygiene;
instead, they should admit that they have room to improve, and then tell us how
they’re going to do it. That would amount to an admirable, first step in
committing to enterprises and end-users with palpable actions designed to
strengthen protection.It’s a myth that the
only way to “do” security is through software. Yes, hardware is inflexible.
But, when crafted the right way, it brings the highest probability for
mitigating vulnerabilities. Unlike software, hardware isn’t a malleable object which
eagerly responds to commands. It is, frankly, too stubborn to hack because it
is rigidly focused on a narrow purpose. Software is about the possibilities of anything.
Hardware, specifically hardware that utilizes lower-complexity (non-Turing
machine) digital logic, avoids software’s weak points and does what it is originally
told to do, and nothing else.For everyone’s sake, we
should hope to do something different and better by next October. Nothing will
change, after all, until the security industry starts leading. It must concede
that the software approach ignores the fundamental nature of cyber risk,
because more software cannot overcome the intrinsic nature of how hardware
works. This is the kind of awareness – as opposed to endlessly repeated best
practices and platitudes – that can transform the industry into a true
impact-maker.
Organizations can truly become cyber resilient only after their business and cybersecurity missions align, and a new report from LevelBlue bears that out.
