STRATEGY
Forget Security FUD: It’s Time to Get Proactive as We Run with the Bulls
Fear, uncertainty and doubt (FUD) have long been the watchwords of cybersecurity, but it’s time to take a different approach. Charl van der Walt, chief strategy security officer at SecureData argues that cybersecurity needs to switch its focus to the bigger picture
Human beings at their very heart are story-tellers and observers of narratives. In fact, our brains are constantly finding ways to make meaning out of often random and disconnected events to form an over-arching narrative of our lives that makes sense.
Charl van der Walt, chief strategy security officer at SecureData
In cybersecurity the narrative is too often about fear, uncertainty and doubt (FUD): a tale which we’ve been voracious consumers of for too long. Companies are usually portrayed as victims: weak, timid prey waiting to be pounced on by the hungry, predatorial cyber-criminal. Vendors and, in turn, the media, amplify this negative tone by focusing hysterically on what the bad guys are doing.
I propose an alternative narrative which uses a different type of language that urges a focus on a bigger picture.
Hunter and hunted: the FUD-driven cybersecurity narrative
In this narrative of FUD perpetuated by much of the cybersecurity industry, the Black Hats are positioned as the hunter: shadowy figures working away in the darkness to snare and penetrate organisations for personal or political gain. It’s a powerful analogy which plays to our basest fears – painting us as prey constantly on the run from some predator – like a gazelle on the run from a lion. But it’s also responsible for an overwhelmingly reactive approach to online threats. The gazelle runs instinctively from the lion: it doesn’t plan ahead of time to work on strategies to make itself harder to catch.
Perhaps even more insidiously, the lion/gazelle analogy creates two very powerful but very false corollaries. The first is that we can outrun the lion. By running fast enough until she tires out or gets distracted we can ultimately avoid capture. The second is more subtle: that we don’t actually even have to outrun the lion, but that it will serve just to outrun the other gazelles. As long as there is other prey more vulnerable or less nimble then we are then they will ultimately fall victim to the hunter, not us.
It’s true that better standards, smarter people and better intelligence can go a long way to improving our response to security threats. But to an extent these measures can only go so far. Whether subconsciously or not, our humanity always brings us back to the narrative. That’s why we also need to consider changing the hunter-hunted analogy if we are to change the way we do security — and move from a reactive and underprepared to a proactive and purposeful stance.
Running with the bulls: an improved cybersecurity mindset
We’re often distracted as an industry by the latest big-name threats. The marketing departments of security vendors and research institutes have had a great time of late dreaming up catchy, doom-laden names for them. KRACK, Heartbleed, Spectre, Meltdown, WannaCry – the list goes on. But it only serves to reinforce the old hunter-hunted dynamic.
It might be more constructive to think of cybersecurity not in terms of a lion and its prey but of a running with the bulls. After all, the threat landscape is similarly chaotic and random; there is no end in sight, just new bulls and an endless stretch of road to run.
If we follow this analogy, we recognise that the chaos and unpredictability introduced by an adaptive adversary are our constant companions and that constant awareness, engagement, re-assessment, realism and adaptation must characterise our response.
In this chaotic world there’s little correlation between what you invest into security, and how much risk-reduction you can expect to enjoy as a result. There’s also no such thing as “baseline” security. Doing security better than your rivals is not enough, and compromise of some sort remains a question of “when” not “if”.
The bigger picture
Basic cyber-hygiene like patch and vulnerability management are vital elements which will keep the organisation as resilient as it can be - there’s little point in investing in sophisticated, expensive security if you haven’t got these basics right.
However, the truth is that we live in a chaotic world with no end game in sight. This is a reality the security industry needs to come to terms with and embrace, rather than perpetuating the lion-and-its-prey narrative.
If organisations better understand their online foes, adapt their strategies accordingly and work to master the basics of cyber-hygiene, they stand a great chance of outrunning as many of these bulls as possible. But just as important is appreciating that you can’t outrun them all.
PR nightmares: Ten of the worst corporate data breaches
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang