Mixed Messages

I must admit to suffering some confusion when it comes to the comments coming out of the top flight security industry providers. With a past statements made by McAfee, firmly confirming that the battle against the cyber criminals was being won by the good guys – but now set that opinion against the backdrop of statements post Black Hat where three CEOs cybersecurity companies that bring in roughly $2 billion a year suggested that “Cybersecurity is a broken industry.” So just who is right?

In my opinion, the statement made by McAfee was not only born out of arrogance, but was flawed, and misleading, as it was made at a time when we were seeing the continued rise of a global epidemic of cyber adversity, which has since grown year-on-year, and as of 2016 is showing no indication of shrinking! Clearly, you may have guessed by now where I am supporting – in fact I have been of this opinion now for at least 5 years – the industry is broken, but why, and how can we fix it?

The problem is not actually the technology, for if you have enough funding in the pot, you can deploy enough security into the enterprise that would make it difficult for even authorised users to get productive – so the tools and applications are in existence to secure the enterprise.

So what about Professional Certifications? Well on the surface, these are a good start. But take care, as I am very much aware of a number of Certified CISO’s who have actually fudged their own profile to suggest what they are not – and in one case I am aware of, the application of back-scratching creative recommendations, and contrived [copied] LinkedIn profiles have been enough to earn what should be regarded as a very robust qualification. So rule of thumb here, no matter what the piece of paper says, look at the background of the person in front of you, and ask a few difficult questions to dig beyond the paper.

And what about the formalised Certifications like ISO/IEC 27001 – sadly here also there are gaps. Take it from me, as one who has put many organisations through to Accreditation – what they demonstrate as robust controls on the day of the audit, do not necessary reflect their real-world of operations when they are not under scrutiny – the world of smoke-and-mirrors does work occasionally to show the naked as fully clothed.

My own humble opinion of the current position of the world of cyber is – accept you have been compromised, hacked, and the attackers are in your world – and once you can grasp this unimaginable position, you may through a six, and move to the next position on the cyber-game board.

The bottom line problem is, assuming we have the right security technology and defences in place, ask the question “are they understood and managed?” It is here where I believe the missing link in the security chain exists – in the form of pragmatic cyber security skills, which may only be achieved by both practical levels of training, and familiarisation of the devices, and applications which have been deployed to support the technological and operational security mission.  But what do I base this opinion on? Allow me to share an example with you. Year 2015, big name hotel chain who were advised by their supporting US based SOC that their FireEYE logs were showing indications of Malware/Ransomware on the inside of their environment – response ‘Ignored’. However, to be sure the message was driven home, emails were sent to the Security Manager outlining the discovered exposure, along with others forms of alerting, all of which were not responded to. Until that was, one day a user clicked a link, seven servers were locked down, and one POS box was inflected, along with what looked like a RAT calling back to home!

Time has arrived where we must acknowledge that it is not enough to follow the guidelines of the ISO/IEC 27001, lean on the fact that we have some form of Certification, or Accreditation – the time is here which dictates Cyber Security Management Training, and Incident Response Skills are a must have to have in place at the highest level of importance to the organisation. Don’t just check the lights are flashing on the kit sitting in the rack – but also check the lights in the heads of those who are employed to look after the security mission are blinking, and showing signs of life as well – if you don’t have synergy in place between technology and skills, you may only expect more of the same.