I attended a recent IT Professionals User Group meeting that featured yet another presentation by yet another ‘security’ vendor. Maybe I’m missing the point of these types of presentations but I didn’t feel it moved the needle in any meaningful way when it comes to cyber security. I wish I could get that time back I’ll be honest.
I’m finding that continual disappointment a lot if I’m honest. There is lots of talk but very little meaningful action when it comes to cyber security. Most of the focus of cyber security seems to be continually placed solely on how bad things are and this is probably more to aid in selling ‘product’ than it is in really providing real meaningful solutions. That, is a bad thing.
It is unfortunate that the whole ‘cybersecurity’ space is now seen as a revenue opportunity rather than a problem to be solved. Fear is probably the cheapest and easiest method of selling something and I see it in full swing where ever I go these days. There is no doubt that fear gets people’s attention, but fear alone does not solve the problem. Fear is an emotion not an action.
Good cyber security doesn’t need more bells, whistles and bright shiny objects, it needs people to implement and adhere to best practices and star using what they have already. Rarely does adding anything ‘more’ solve a problem because typically, more is simply a way to avoid addressing the actual root cause of the problem and making hard choices that need to be made. It is merely a way to be distracted from doing the ‘hard yards’ that implementing and adhering to best practices requires.
The amount of time, money, blood, sweat, PowerPoint slides and tears I see being utterly wasted on inconsequential approaches to cyber security utterly amazes me. Just when I think it can’t get it any worse, it does. It is no co-incidence, I would suggest, that as this wasted effort increases so to does the actual damage that cyber security incidents realise. Co-incidence? I think not! Why? All talk, no action.
Yes, there is no doubt, by any measure there is an issue. However, there isn’t a need to keep telling me this over and over and over again in the vain hope that I’ll buy some quantity of your magic cyber security snake oil remedy that in all honesty will just complicate things and rarely aid in help solve the problem. Work with what you have access to first, then seek to add more. Security starts with simplicity.
If you haven’t worked it out already, people are the problem when it comes to cyber security. Simple. The methodology and the tools to solve the problem are already available. Yet they largely lie under implemented and under utilised because of the human consequence from the lure from the next bright shiny object peddled by those regurgitating familiar statistics but with different slide decks.
Perhaps it’s just the old world engineer in me, out of touch with greater humanity, and that may be true. However, it doesn’t mean I’m wrong!
Stop trying to buy your way to peak cyber security and start doing the work. It is that simple. And guess what? All the stuff you need to improve cyber security is probably already available to you and is laying around neglected. The missing key ingredient is nothing more than effort expenditure. We’ll never solve the cyber security problem without effort and I think this quote from Edison is quite apt here:
Opportunity is missed by most people because it is dressed in overalls and looks like work
I will never claim that cyber security is easy. What I will however claim, is that there is so you much you can and should be doing but you aren’t. Everyone that is. From the business owner to the IT Professional to the government and beyond, let’s focus on solving the problem rather than simply using it as a topic of conversation or a method of sales conversion. Let your actions speak louder than your words when it comes to cyber security.
CIAOPS 