Cybersecurity is broken, and it’s not for lack of trying

I have been in the cybersecurity industry for more than 20 years now. I have founded, operated, and exited several cybersecurity startups. I also advised, invested in, and even acquired a handful. Despite successful outcomes, my experience has left me perhaps a little jaded. Are we winning the battle? When I log into my various web accounts, I am so often reminded that my password had been stolen, sometimes alongside with my personal information. Even major financial institutions and government agencies have suffered a similar fate. Cybersecurity is broken, and here is why.

There are just too many solutions

A lot of good people are doing a lot of good work. In fact, there are over 3,600 companies right now working to solve various security problems. And therein lies the problem. This number is not sustainable. There is simply no way for CISOs to even get their heads around the sheer number of vendors and separate the wheat from the chaff. Cybersecurity is an arms race. Hackers keep finding holes. We keep creating point solutions to close them, however orchestrating a complex suite of solutions is error prone and errors we make call to the thief.

The human factor

Most hacks rely the simplest of techniques, such as social engineering in the form of phishing emails. It’s the human element that is so hard to control, and that human can be easily fooled to give away with his or her password, rendering a lot of our sophisticated tools irrelevant. Conversely, if our tools are too restrictive and users are unable to get their work done, they will find a workaround. This limits how locked down users can be and leaves us again at the mercy of the users’ behavior.

Reactive vs. preventive

Most cybersecurity solutions are reactive, rather than preventive. The mantra is, basically, “we know you’re going to get hacked, so we will be there to tell you about it as soon as we can.” The average time until a breach is discovered, incidentally, is 179 days! And another 69 days to remediate it, based on IBM data. Add to it rising alert fatigue and the scarcity of competent personnel, and you’ve got a big problem on your hands.

Our new perimeter

Remember all the tools you’ve purchased to date to secure the enterprise? Well, now forget about them. It is not the same enterprise we had known. As enterprises become increasingly distributed because of the cloud, containers, edge computing, and of course remote work in these days of COVID-19, new paradigms are needed. Our old firewall and VPN are sitting at the headquarters and do not protect those working from home or accessing the cloud or a SaaS service. But we keep putting in place traditional solutions and spending amounts of money that are inversely proportionate to the security we get out of them. This calls on us to stop and rethink our security model.

Before signing off, is there a ray of light?

I think there is. A new generation of solutions is making use of new technologies and paradigms that can make a difference. Here are a few examples. New AI/ML-based platforms can detect and prevent attacks more effectively and remove a lot of the manual work involved, thereby increasing the productivity of our scarce human operators; cloud-managed security offers the promise of simplified operations and significant cost savings, and better addresses the needs of our increasingly distributed enterprise that can no longer rely on the old, physical network appliances sitting at the data center; finally, providing quantifiable risk metrics will hopefully help us decide which solutions we need based on the bang we get for our buck as it relates to our specific risks. There is hope yet; however, vendors and practitioners need to start thinking out of the box.