I was on the road last week and had plenty of airplane time to catch-up on some overdue reading and reflection. The conclusion of the week was marked by a rather interesting event that caused a relatively significant event on the Internet with the DDoS attack against the Dyn’s architecture. Now, just to warn you, this isn’t a posting about how we could have fixed it and how we are the magic bullet for cyber security…we aren’t that obtuse (although many other cyber security companies are seizing this as a marketing opportunity). Anyway, while at home this weekend and in between baseball games and kid birthday parties, I had a chance to reflect on the week and our vision at Dark Cubed, I was struck by the impact of three events from the week.
First, on one flight I came across an article in Wired titled “Hackers are not as sophisticated as they think they are.” In this article, the reporter talks with Ian Levy, the technical director of the National Centre for Cyber Security (NCSC) in the UK. One sentence stood out to me like a beacon and comes when Mr. Levy is talking about the blame that should be placed on the cyber security industry,
“There is no other bit of public policy where the tone is set by a group of massively incentivized people.”
This article inspired me to look into the NCSC a little more and I found the text of a speech by Ciaran Martin, the CEO of NCSC, that he gave to the Billington Cyber Security Summit. His speech was great… but one point really stood out...and is totally aligned with our vision...
"So let me make a point we believe to be fundamentally true, and therefore critical to our strategy. The great majority of cyber attacks are not terribly sophisticated. They can be defended against. And even if they get through, their impact can be contained."
The full text of his speech is here, I highly recommend you read it. (https://www.ncsc.gov.uk/news/new-approach-cyber-security-uk)
Second, one of the reasons for my travels was to spend a day talking with a newly minted CISO from a company in a highly regulated industry. This was a relatively large, publicly traded company with employees spread across the country.
As our discussion progressed throughout the day, I was in awe of how much this person had accomplished with such a limited budget and staff. This CISO is operating in a company that is being bombarded with fear, uncertainty, and doubt about cyber security attacks, yet they are taking a no-nonsense approach to managing risk.
Time and time again… our conversation wandered down a well-worn path… “I would love to use that product… but the cost is too high,” or, “We kicked the tires of that product… but it generated so many alerts that I would have had to hire more staff to get any benefit.
I was so impressed with their commitment to securing the data of the company and their customers, but I could not help but think that today’s cyber security products simply do not work for companies like this. The challenge is that many of the products on the market today are built against a fictitious model of what an organization SHOULD be from a security perspective versus the reality that real companies are facing every day.
The challenge is that many of the products on the market today are built against a fictitious model of what an organization SHOULD be from a security perspective versus the reality that real companies are facing every day.
Finally, my third reflection, in between growing a company, raising three kids, and other events in life, I always try to make time to read. Currently, I am making my way through a book titled “The Contrarian’s Guide to Leadership.” There are some fascinating points in this book, but one section that I read last week focused on balancing the reality of how humans behave and operate against how we wished people were. In this book, the author makes a fascinating point. “I am reminded here of a book on child rearing by Dr. Hiam Ginott which my wife and I read many years ago. Dr. Ginott advised parents to teach their children the supreme importance of discerning and accepting reality, in order to either make peace with it or attempt to change it. In other words, don’t let children dilude themselves about how the world and its people really work.” Given what we have been working on for the past two and a half years to change the future of cyber security, this passage struck me. We have built a cyber security market based on how we think companies should operate versus how they actually do. If we have any hope of making things better, we need to change the way we think about these problems and try something new.
We have built a cyber security market based on how we think companies should operate versus how they actually do.
Now, the culmination of these events against the backdrop of the DDoS attack created a rather stark realization for me. “We got ourselves into this mess, now how are we going to get out of it??” What I mean by this is that we - cyber security professionals - have ignored the reality of what companies are really facing for too long and have instead chosen to focus on some of the hardest problems in security. For example, how can we get better at behavioral detection of zero day threats, how can we build a cyber security framework that provides hundreds of controls for companies to follow, how can we get better at hunting Nation-State threats within corporate networks, how can we get better threat intelligence on specific threat actors, and the list goes on and on.
Balance those questions against the mind boggling reality that most companies today are not only NOT trying to solve these issues, rather they are simply trying to figure out how they can survive given such limited security budgets and the inability to hire cyber security professionals.
It is incomprehensible to me that an overwhelming majority of companies today have ZERO visibility into what is happening on their networks. This is not a “hard” problem, rather it is a different problem. The problem has to do solving the cost, scale, and complexity associated with cyber security capabilities. Why are we so focused on helping companies find zero day threats when they can’t even answer the question “were devices on my network part of this attack?”
At Dark Cubed we believe it is time for a different approach to cyber security that focuses on delivering results, not hyperbole. We are delighted to see organizations such as the NCSC joining the increasing choir of security experts that are pushing people to think differently about solving some of the systemic security challenges facing the world today. If you want to learn more about what we are working on and how we can help you, please drop us a line at firstname.lastname@example.org. We would love to talk with you