Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/25/2020
10:00 AM
Jessica Smith
Jessica Smith
Commentary
100%
0%

Cybersecurity Industry: It's Time to Stop the Victim Blame Game

There are far more ways to be helpful than adding to the noise of what a company probably did wrong.

It's natural to become angry and indignant when we see a major breach story in the news. Many of these potentially affect us and those we know, and often some concern about a potential vulnerability remains left unaddressed by the company in question.

However, as cybersecurity professionals, we also understand (but sometimes lose sight of) a few key facts that the general populace may not know.

We know, for example, that it is virtually impossible to plug every gap, address every vulnerability, and enforce every security procedure. We know that companies must determine the right amount of cyber spending against their other business priorities. While cybersecurity may be our primary focus, core business functions consume the majority of an organization's resources.

We also understand that organizations that deploy strategic security programs do so by willingly assuming an agreed-on level of risk. The goal, of course, is to only accept lower-level risks to the business while mitigating higher-level, core-business-impacting cyber-risks.

Yet even this equation is getting harder to achieve — and we get that. The enterprise attack surface is skyrocketing alongside exponentially growing IT complexity. Organizations are struggling with an ever-expanding security perimeter — it is now every employee with a device — as well as hybrid and multicloud environments, legacy assets, migration initiatives, third-party risk, a patchwork regulatory environment, and IT complexity brought by rapid expansion and M&As. The cloud security challenge alone is compounded by an increasingly complex shared-responsibility model. And the human factor will always be a frailty in the enterprise armor that can never be fully mitigated.

Finally, we realize that despite IDC's prediction that $133.7 billion will be spent on cybersecurity in 2022, up 45% since 2018, threat actors will continue to find a way in. Forrester predicts this year will see "more attackers with more sophisticated tools aimed at a larger attack surface," and that those attackers will leverage ransomware, artificial intelligence, machine learning, and deep fakes to make enterprises pay (in addition to other common methodologies we see in our business every day). Indeed, ransomware actors take advantage of the very fact that companies must prioritize their core business functions over security — because that is the heart of this malicious tactic.

Look at how much we know. Then, why is it that so many of us continue blaming organizations when they fall victim to a breach? It's time for us to stop and more boldly advocate against pointing fingers at cyber victims.

Certainly, every breach means some doorway may have been left open. But in many breaches, it can be difficult to understand the root cause. We can ask whether the victim was properly protecting the data, spending enough on cybersecurity, properly emphasizing the importance of protecting data, ensuring proper configurations, and deploying the right technologies, processes, and policies. Even if they can't answer "yes" to each of these questions, we must still wonder whether it had an impact on the breach in question. More problematic, still, the reality is that even if they can answer "yes" to each of these questions, the company is still not immune to a data breach. Now, who do we blame?

I propose we shift the narrative and our approach. Rather than adding to the noise of what a company probably did wrong, we can offer helpful suggestions for what others can do today. We can assume the role as educators — offering best-practice advice through published content and partnerships, as well as helping organizations sort through the alarmist FUD factor (fear, uncertainty, and doubt) and get to the practical nuts and bolts. We can help companies determine where to prioritize their dollars to reduce the chances of more significant attacks (or reduce response times should one occur), acknowledging they aren't going to purchase every tool or service available.

We once had a client who said his company's approach had been to pay virtually any amount of money on security to help improve its security posture. If there was a new tool that looked useful, the company would buy it, even if it had a similar tool already deployed. However, rather than helping its security posture, this approach made it extremely difficult to sort out actual anomalies in the environment from false alarms. Likely, many companies would be willing to continue to sell him every tool in their arsenal — cybersecurity companies have revenue targets, too. A better approach we can all take is being a strategic partner, helping to reduce complexity, and building a base of longer-term trust.

We also need to ensure organizations are realistic about what their security investments can and cannot achieve and ensure they are planning for the worst-case scenario. They should plan for a data breach and know what should happen and how. Testing incident response and recovery plans can minimize the impact of a significant event and help increase the likelihood of a speedy respond and recovery.

Yes, organizations make mistakes, and breaches occur. But the balancing act that company leaders face isn't easy. Security professionals can assume a more helpful, understanding, and empathetic role, rather than pointing fingers — particularly since we know the complexity of the challenge better than anyone.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Coronavirus Raises New Business Continuity, Phishing Challenges for InfoSec"

 

Jessica Smith is a veteran practitioner of digital forensics with an extensive record of involvement in complex civil and criminal cases. She brings her experience and know-how to The Crypsis Group's client engagements, as well as helping direct the daily operations of the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2020 | 3:46:34 PM
Security program
A better approach we can all take is being a strategic partner, helping to reduce complexity, and building a base of longer-term trust. Agree. Having a security program rather than tools to cover the holes.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2020 | 3:44:12 PM
Top priority
Indeed, ransomware actors take advantage of the very fact that companies must prioritize their core business functions over security We can not expect companies making security top priority, they can not say in business with that approach obviously.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2020 | 3:42:02 PM
Security perimeter
Organizations are struggling with an ever-expanding security perimeter it is now every employee with a device Important point to make. It goes beyond individuals devices. Cloud and IoT is big part of it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2020 | 3:39:22 PM
Core business
While cybersecurity may be our primary focus, core business functions consume the majority of an organization's resources. Most business are not in cybersecurity business but that does not mean they can avoid it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2020 | 3:27:21 PM
Not addressing issues
Many of these potentially affect us and those we know, and often some concern about a potential vulnerability remains left unaddressed by the company in question. Agree. Companies tend to do quick patch on the technology and forget a pig the princesses that put them in that situation in the first place.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13660
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
CVE-2020-11079
PUBLISHED: 2020-05-28
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.
CVE-2020-13245
PUBLISHED: 2020-05-28
Certain NETGEAR devices are affected by Missing SSL Certificate Validation. This affects R7000 1.0.9.6_1.2.19 through 1.0.11.100_10.2.10, and possibly R6120, R7800, R6220, R8000, R6350, R9000, R6400, RAX120, R6400v2, RBR20, R6800, XR300, R6850, XR500, and R7000P.
CVE-2020-4248
PUBLISHED: 2020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175484.
CVE-2020-8329
PUBLISHED: 2020-05-28
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted...