Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Jack Miller
Jack Miller
Connect Directly
E-Mail vvv

CISOs' Cyber War: How Did We Get Here?

We're fighting the good fight -- but, ultimately, losing the war.

I have spent a great deal of time on the front lines of the biggest conflict of our age: the cyber war. In almost 20 years as a security professional, I've reached the conclusion that while we are all fighting the good fight and winning some battles, we are ultimately losing the war.

Like a runner on a treadmill, we are working our hearts out and not getting anywhere. When I tell a CISO "I feel your pain," it's because I have the scars to prove it. It's a thankless, lonely, stressful job, and the kicker is how much we all want to do it well.

Before we can stop fighting battles and start winning this cyber war, we need to understand how it got started. Every company today has some level of technical underpinning, and what makes it all work is software. One of the most powerful attack vectors for IT, therefore, has been software vulnerabilities. These vulnerabilities, which can range from simple to fundamental, are intrinsic to every software product in every industry.

We've come to accept software vulnerabilities as part of the package, but the question is why? Why are vulnerabilities part of doing business?

The simple answer is unavoidable: market pressure. Markets are constantly evolving and demanding new ways to work smarter, faster, and more cost effectively. The prize, in terms of market share, often goes to the company that gets there first. As a result, products are sometimes forced out the door before they have gone through thorough testing and quality assurance. In the balance between getting the job done first and getting the job done well, being first usually wins and often wins big.

I believe this is why most software products feature extensive indemnification clauses. If the companies are held blameless for bugs and vulnerabilities, the benefit to shipping early can outweigh the risk — at least for the software company. Of course, we as CISOs often end up on the losing end of that proposition.

Another issue is security industry vendors. In an environment fraught with threats, there is money to be made by selling a solution to the problem — whether the product actually performs as promised or not. Promises are easily cloaked in the latest assortment of buzzwords, while the real-world capabilities may not really appear (or not appear at all) until someone is banging on your door.

Although it might be easy enough to blame the situation on simple greed, I believe that many of these issues stem from the fact that the security vendors are not themselves CISOs, nor do they always have a CISO on staff. They do not know the issues CISOs face; they only know what their product does in a sometimes-constrained scenario. And if you only have a hammer, every problem looks like a nail.

Regulations can further complicate the problem. I believe strongly in the aim of today's cybersecurity regulations, but like the security products themselves, they can often lag behind the real world that CISOs live in. Complying with these regulations can create busywork that diverts our attention and resources from implementing meaningful controls to working on stuff that provides little, if any, benefit. (Antivirus software on my mainframe? Really?) Meanwhile, the internal audit process and staff required to maintain compliance often serve to further distract us and prevent us from focusing resources where we really need them.

In the end, however, it is important to step back and look at what is really driving this situation. It's the business. Software products are rushed to market, sometimes before they are well tested, because business demands it. Security products are purchased then found not to perform as promised, because a tactical fix was essential to business uptime. Cyber regulations are instituted to protect the business, but they are often so out of step with reality that they end up draining focus and resources.

The culmination of these issues is an enormous workload that far exceeds the available security resources that exist today. Ask CISOs about their top challenges, and they will tell you that finding and retaining qualified staff is among the greatest. Consequently, we will never be able to tackle these issues with a tactical approach. We must become more strategic.

Related Content:

Jack Miller is the Chief Information Security Officer of SlashNext, maker of the Internet Access Protection System, a cloud-powered solution that leverages cognitive computing to detect complex and interlinked Internet access attacks, including social engineering and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Dimitri Chichlo
Dimitri Chichlo,
User Rank: Apprentice
1/14/2018 | 4:23:33 AM
Re: Software == Bugs
Thnak you for your article, Jack. Indeed, software==bugs but, yes, we know means of programming that avoids most of code mistakes. Plus by stretching the time to market, you are putting your business at risk (ex.: Diginotar).

What puzzles me in this industry, is that we take for granted something which is completely unacceptable in other industries. Take automotive for instance. Do you imagine that every month the car dealer calls you to fix something in your newly acquired car (ABS, airbag, brakes, etc.)? By the way, this can very much be the case in the future, as cars are no more than driving appliances but so far, we have seen limited cases, but they do exist. 

However, do you have to be a CISO to understand the need for security? I do not completely agree with that. I think that this is rather a question of common sense. One of the challenges we face as infosec professionals is to pass the message higher. Do we really succedd in that? I doubt. It is just that security is still not embedded in IT (yet) and not considered as a (potential) competitive advantage. 

Not sure also about the concept of cyber war. I would leave that term to a state level concern, not at business level, although some businesses are strategic for countries, but this is another story. I would rather use "IT security" (not really sexy though :). 


[email protected],
User Rank: Author
1/9/2018 | 11:39:06 PM
Re: Software == Bugs
Thank you for your comment. I do agree with you, these points you clearly articulate are valid and must be taken into consideration for developing any meaningful and workable policies or regulations.

While some discovered vulnerabilities might have been virtually impossible to find with even the best QA program, unfortunately, there have been many that should have easily been identified and remediated but were not and that problem must be resolved. 

Likewise, with concern to innovation, I don't think it is an either/or conversation.  Even in the most regulated industries there is always innovation, the most important thing is that we have a level playing field. 
Brook S.E.S308
Brook S.E.S308,
User Rank: Apprentice
1/9/2018 | 1:53:30 PM
Software == Bugs
The Turing Proof has not yet fallen. Short summary: an automated process cannot prove that an automated process is correct.

IOW, software can be proven to have errors, but not proven to be absolutely correct. That means that we will be living with software errors for sometime - imagining that viulnerability is entirely a business problem missed a key technical fact of life. 

Plus, not all vulnerabilities are equal. Many are not really of value to real-world adversaries. Risk assessment will continue to be important.

As I have noted both in my books and elsewhere, error is also an artifact of innovation. When attempting something new, it's not going to be "right" for a while; mistakes will be made. 

Finally, designs for yesteryear will likely not survive tomorrow's research.

Meltdown/Spectre is precisely this situation. Speculative execution has provided enormous CPU gains. We now know that those gains came with a security cost, because dedicated researchers probed and prodded to find holes in the design. future designs are thus improved. 

This last point is key: it's very hard to anticipate every possible use case and mis-use case for a design. While analytic tools like Threat Modeling can anticipate known techniques, it's very hard to see far into research and attack future.

While your points are certainly valid, the argument, I believe is incomplete without my additions


/brook s.e. schoenfield
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefs_smtp_psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. The...
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious...
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A reflected XSS vulnerability was identified in the media_filter HTTP request body parameter for the acp interface. The affected parameter accepts malicious client-side script without proper input sanitization. For example, a malicious user...
PUBLISHED: 2021-01-15
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/admin-ajax.php request with the meta[title] parameter.
PUBLISHED: 2021-01-15
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/post.php request with the post_title parameter.