Cybersecurity issues can’t be solved by simply buying a product
Year after year, data breach losses continue to rise and the cybercrime economy continues to thrive. What is the cybersecurity industry doing wrong?
Vendors must genuinely want to improve their customers’ security posture
If you ask Jeff Kohrman, the CEO of eCISO, a cybersecurity consultancy providing virtual CISO services and leadership mentoring for startups, the solution for most cybersecurity problems is not new, better tools.
“Practitioners are swamped with alert fatigue and changing priorities, mixed signals and inconsistent support from the business. They don’t need more tools to be more productive – they need processes that work in the context of their business, and relationships that enable those processes to be successful, and then tools can be of help,” he told Help Net Security.
Security vendors should invest into and partner with their customers to make the security that they need more accessible, easier for them to manage it for themselves.
“Learning to communicate risk without invoking fear, uncertainty and doubt is a technique that I’ve seen some vendors wield with enormous success. It’s amazing how impactful you can be when you’re open, honest, and realistic with people about your needs and what we are able to achieve today,” he added.
This approach takes commitment and a willingness to educate one’s target market, but the payoff is worth it: by creating a community of companies that have learned how to manage their company’s risks effectively, more customers will naturally trust those vendors with their business.
The effort must not be one-sided
Organizations looking to protect themselves should stop using vendors as a crutch and start demanding an appropriate level of partnership from them.
Kohrman also made sure to point out that, while we all prefer taking an easier route, organizations must realize and accept that most security issues can’t be solved that way.
“It’s the difference between doing the right things and doing things right. If, for example, you just want to pass a SOC 2 audit, you can certainly do the right things by purchasing services or products to meet a big portion of your compliance requirements. But just because you are SOC 2 compliant does not guarantee that your business is secure,” he explained.
“If, on the other hand, you want your SOC 2 compliance to mean something, you’ll need to do things right by investing time into security to create more mature business processes around those requirements before your new products can be effective.”
Preparing for future challenges
As internet access and new technology spreads to the far corners of the world, cybersecurity is becoming more of an active concern for people and businesses.
Kohrman predicts even more sophisticated attacks in the next few years and believes attackers will increasingly target small companies that are in their early developmental stages and might not yet have the resources to devote to managing their security posture.
He also predicts that these breaches are likely to result in sweeping legislation and data security regulations that will mandate strict cyber security practices and severe consequences for those who don’t comply. We must hope, though, that this will not end up stifling innovation and impeding the next generation of upcoming entrepreneurs.
But by far the biggest challenge the information security industry can expect to face is how to lower the barrier to entry for getting started with security for everyone.
“As a security community, we can help by approaching security pragmatically in our own organizations to teach people how to put security to use for themselves,” he advised.
In fact, making security even more accessible to companies and the people that support them was partly what motivated him to recently move from a multi-billion dollar DevOps company to eCISO: he wanted to continue focusing on making good security more human, more accessible to companies that need it most.
Breaking into security
Kohrman would like to see the security community working on being more open and inclusive.
“When I started learning about security, it was the perfect storm of opportunities. I was struggling with serious health issues and wasn’t able to go to IT conferences or user groups, but it was right when BBS were winding down and UseNet communities were totally open,” he recalled.
“I remember feeling like the whole world suddenly shrank down and landed neatly in my hands. Being physically limited to what I could do inside my own head, the chance to learn new things felt like a fundamental human right. Since then, I’ve realized that the security community isn’t always as inviting to everyone, not as accessible as it seemed to me. I got lucky. I’ve had opportunities that will probably never happen again, but that doesn’t mean we can’t offer even better experiences for people just getting started.”
The security community must set a positive, supportive tone for everyone around it to reset their understanding of what security is, he said, and praised the BSides events as an excellent example of being deliberate in managing the community like that.
For those trying to enter the cybersecurity field, he advises finding creative ways to make one’s skills relevant.
“I recently spoke with someone who had been laid off earlier this year and decided to pivot into security. They had taken training and even taught weekend classes on what they’ve learned, but no one would hire them for even an entry-level position. Their resume listed only a few months of security experience, but they had nearly 12 years of experience in sales, engineering, and public relations. Talking through what they did beyond security, they easily fit the requirements for a more senior role,” he noted.
“We need more creative thinkers, more smart people to solve these hard problems, and your experience in business intelligence, or sales, or even janitorial services can help you see these problems from a different perspective. Don’t sell yourself or your experience short. Security is not just a technical field anymore – it’s a business enabler, and we need all sorts to run a successful company.”