Smarter Cybersecurity Thinking: Change your Mindset to Even the Odds

Cybersecurity is undoubtedly one of the most challenging issues of the 21st century. It now tops the Director of National Intelligence’s Worldwide Threat Assessment, and the World Economic Forum recently declared that a cyber disaster could be more costly than a major hurricane. And yet, although we have invested huge amounts of time and money trying to defend our networks, the problem continues to get worse, not better. Why? A key reason is that we’re thinking about cybersecurity the wrong way. Common misconceptions keep us from approaching the problem in an effective manner. In order to bust these myths and look at one of today’s most significant issues the right way, we need to change our mindset about cybersecurity. We need to take a more holistic approach, where all parts of the business are interconnected and continuously protecting the entire organization.

Myth 1: Since cybersecurity is a technical problem, a technical solution will solve it.
Within most organizations, cybersecurity is usually portrayed as a technical problem for which there should be a technical solution. Executives in the C-Suite are told, “If you just buy the latest technology, it will solve your cybersecurity problem!” But this approach doesn’t work, because most of the fundamental problems we face in cybersecurity stem from non-technical sources.  For example, until we address the behavioral aspects of cybersecurity (you will never completely stop people from clicking on malicious links), the technical solutions will continue to fall short.  We must stop treating cybersecurity like it’s solely a technical issue for which there is a quick fix. Until we shift our mindset to a holistic risk management approach, it’s going to be difficult for organizations to succeed.

The Smarter Approach: Cybersecurity is a risk to be managed, not a problem to be solved.
Like all long-term, complex risks, cybersecurity has multiple, interconnected elements, including technical,  economic,  psychological, and business operational aspects. Once you move away from a quick-fix mindset and start treating cybersecurity as a long-term risk management issue, then you can implement an effective integrated set of technologies, business practices, and policies that address all these factors.  This approach can materially lower your risk. For example, organizations should build and maintain a controlled, well-managed IT environment where known vulnerabilities are mitigated; achieving this state has much more to do with organizational decisions and prioritizations than it has to do with technology. Organizations without the resources to employ these practices organically should work with cybersecurity providers to develop the best possible posture that fits within their operations.  

On the flip side, taking a long-term, risk-based approach means that a company cannot protect every asset or stop every threat all of the time. Instead, organizations must identify their most important systems and information, and invest the resources to increase protections for those assets, while assuming risk in other areas. This approach also means that cyber incidents will occasionally occur, and therefore, organizations must prepare for such incidents, ensuring that they have and are able to exercise a robust incident response plan. Finally, this approach requires organizations to think about how they would reconstitute their systems or recover their data after an incident.  Again, it’s a holistic approach to thinking about cybersecurity.  

Myth 2: You lose your competitive edge when you share cybersecurity knowledge.  
Another challenge is that cybersecurity companies often think that because they compete with each other, they can’t collaborate.  Further, many companies believe that sharing their valuable data will dull their competitive edge, so they are reticent to work together to combat persistent threats. Yet, the truth is that no single company on its own can really be effective in combating the cyber issues we face.  

The Smarter Approach: Companies can share data and collaborate while competing fiercely.
The underlying philosophy of CTA is that when cybersecurity companies share threat intelligence at speed and scale, they can make their products and services more effective for their customers, including critical infrastructure. This model drives competition to higher points on the value scale, and it’s more beneficial to the greater cybersecurity community. Sharing threat intelligence doesn’t blunt a company’s competitive edge; in fact, it sharpens it.

CTA’s model also allows our members in the cybersecurity industry to coordinate with each other operationally, as we did during the WannaCry and NotPetya incidents. This approach helps build a more robust understanding of the situation and allows member organizations to more rapidly update their products and data sets to quickly protect their customers. Working together makes us all better, more responsive to our customers’ needs, and improves the greater good – and allows them to focus on building new and more secure products, instead of triage.

Myth 3: You should focus on making your castle stronger and your moat deeper.
Although leading experts have long argued that the “castle and moat mindset” is inadequate, the concept still pervades most thinking about cybersecurity. But this approach obviously doesn’t work. You can’t build thicker walls and deeper moats to keep the bad guys away, especially because today’s enterprise, application, and threat landscape are constantly evolving. Today there are multiple points of entry for malicious actors to get the “keys to your kingdom,” and every time security companies build the wall higher, the bad guys simply lengthen their ladders.  
You’ll also hear that the defender must always be right, while the attacker or intruder only has to be right once. If we keep looking at it that way, we’ll always lose, because that’s an unwinnable game. It’s like playing against the house odds in Vegas.  But if focusing on walls and moats doesn’t work, what’s the alternative?  

The Smarter Approach: Don’t just focus on “keeping out” bad actors. Disrupt their larger goals and activities at multiple points.
Rather than thinking purely in terms of blocking an intruder at a boundary, we need to broaden our thinking about how we can frustrate intruders in multiple ways.  Malicious actors are trying to achieve a specific goal–whether it’s theft, disruption, or espionage—and getting past the “wall” is only one step.  In fact, to achieve their goal, attackers must execute a series of steps perfectly. If you disrupt any of those steps, the attackers will fail to achieve their goals. If we expand our point of view beyond a single organization and a single intrusion, and build on shared intelligence as discussed above, then we can begin to map out the bad guys’ typical playbooks and identify how they will likely try to achieve their goal.  This approach changes the entire nature of the cybersecurity problem.  This mindset allows defenders to level the playing field and give themselves more than one chance to stop the bad guys.  It shifts the burden of being right every step of the way to the attacker. That’s how governments, the cybersecurity industry, and companies can re-stack the odds in their favor.

If we can change our mindset and apply smarter thinking to our cybersecurity problems, then we can make real, demonstrable progress.  With the right mindset and a holistic strategy in place, we can start to build the right tools, enact effective policies, and establish the needed collaborations to tackle our cybersecurity challenges over the  long-term.  Of course, each one of these mindset changes could form an entire blog post.  To that end, we’ll explore each of these approaches in greater depth over the coming months. So keep an eye on this blog and watch out for these posts.  

Author: Michael Daniel