Cybersecurity is Failing—Time for a Reset?

When you read what’s
happening in cybersecurity, you could cry. We are being bombarded with
cybersecurity fails. Recent egregious examples are Equifax and Capital One. To
quote an August 2, 2019 article by Tom Foremski “A dismal industry: The
unsustainable burden of cybersecurity” which is available at

“Cybersecurity spending is
the fastest-growing segment in IT budgets, but it provides no productivity
gains or protection against more advanced exploits.”

I do not support the
first claim of “no productivity gains” since we Infosec professionals have long
asserted, I believe correctly, that strong cybersecurity is an enabler,
allowing companies to deploy applications and systems that would otherwise not
be feasible because of their inherent vulnerabilities.

But I do agree with the
second claim of inadequate protection, as highly-visible successful exploits in
critical sectors have demonstrated. The real question is whether it is indeed
possible to provide strong enough protection. Perhaps it is not possible. And
if not, how do we then proceed?

Foremski’s gloomy article
comprises a report on a cybersecurity panel discussion at “Finn Partners in San
Francisco.” Experts from NASDAQ, Redseal, Kount, Centrify, the FIDO Alliance
and Keeper Security expounded on attacks and mitigation approaches. We see the
usual suspects and remedies.

Durgesh Gupta of NASDAQ
faults lack of government help for smaller organizations and disinterest by law
enforcement in lower-level attacks. Ray Rothrock of Redseal suggests that
increasingly sophisticated attacks require fast response and victim
organizations should not cover them up. He said that prevention requires
security guidelines and education. He also advises making Boards of Directors
accountable, as with Sarbanes-Oxley, but dilutes his suggestion because he
believes that fewer individuals will take on the responsibility.

Gary Servounts of Kount
blames the added complexity of cloud-based systems. David McNeely of Centrify
also faults cloud-based IT and suggests multi-factor authentication and
building security into applications. Andrew Shikiar of the FIDO Alliance
denounces passwords, but Craig Lurey of Keeper Security disagrees.

These issues and remedies
have been around for decades, but seemingly to no avail. I have written often
about them in this column and in articles and books. Yet we don’t see anyone with
authority stepping up to the plate and taking on what is becoming a major
existential threat.

It is time for a new
approach, but what that should be is controversial, especially in an
environment where denial is rampant. If it walks like a duck, and quacks like a
duck, it’s a duck. If there is incontrovertible evidence of foreign
interference in political systems, of attacks on critical infrastructure, and of
the proliferation of unsupported claims in the news, then these are happening
and must be addressed with immediacy and resolve.

Perhaps it is time to
step back, take a deep breath, and truly determine what bad things are
happening and how they should be corrected. I believe that we need to explain
better the motives and motivations of all the players involved, and learn how
these players interact, whether in cooperation or conflict, so that we can
deploy effective protective measures comprising prevention, avoidance and
deterrence. Until we do that, we are shooting in the dark and, as Foremski
describes, we are missing the target time and time again.

*** This is a Security Bloggers Network syndicated blog from authored by C. Warren Axelrod. Read the original post at: