‘Lying Eyes’ Are Deceiving: Cyber Security Is Actually On The Rise

Add bookmark

Dan Gunderman
01/10/2018

Despite the numerous headlines, the heated race to the market that vendors partake in and blog posts on cyber doomsday, there are some industry insiders and analysts who believe cyber security, as a whole, is on the up and up.

In fact, one Info Security Magazine contributor, Gary Golomb, co-founder and chief research officer at Awake Security, believes that enterprise security is both stable and improving with each passing year – and he points to sophisticated remedial tools at practitioners’ disposal.

“So forget what your lying eyes tell you,” Golomb warned readers and practitioners. “From both an industry/vendor standpoint down to the security analyst on the front lines – security is getting better.”

What’s more, cyber security entrepreneur and Verodin Inc. Chief Information Security Officer (CISO) and VP of Security, Brian Contos, spoke with the Cyber Security Hub about the same underlying topic. Despite the vertical’s soaring capabilities, he called for a sort of reassessment to the way security is viewed.

“As an industry we’ve been doing much of cybersecurity wrong. We have over 1,800 security companies trying to sell something ‘better.’ What we need is something ‘different,’” Contos said. “One of the biggest gaps I see is that there is no validation of security control efficacy. Most organizations can’t tell you what's working, what’s not, and if the time, money and resources they are putting into security results in value. We need to think differently about security. We need to implement solutions that allow us to manage, measure and improve the security controls we already have and stop managing security based on assumptions.”

Further, despite his sweeping conclusion, the Info Security Magazine contributor also acknowledged the scale and frequency of mega-breaches such as Equifax, Deloitte, Uber, etc., and admitted that the intensity of each cyber incident is profound and, often, fleeting (to combat sophisticated tools within the enterprise).

Still, Golomb wrote, “We’ve become too reliant on headlines and vendor marketing to dictate where we are as an industry. We’ve become beholden to our own fear, uncertainty (and) doubt…”

“Security isn’t about headlines. Headlines can be more reflective of reporting requirements than they are about the actual state of enterprise security,” he continued.

Similarly, on eliminating FUD to focus on rapid improvements instead of the media’s bombardment, Contos told the Cyber Securiy Hub, “Most business and security decision makers already understand the risks. We don’t need more FUD. Instead, we need greater focus on leveraging security as a strategic business imperative. Security is fundamental to every organization. If we can measure it like other strategic business units, security conversations can make it to the executive team and board where they belong. We need to move beyond just tactical, technical conversations in security to strategic conversations predicated on metrics and prioritized recommendations that illustrate how security can better address the organization’s mission.”

The comprehensive Info Security story also included a cyber timeline, to underscore Golomb’s points about a culture of improvement. Prefacing the timeline, he admitted that the number of hackers has indeed increased, as have the number of connected devices (due to the internet of things, or IoT). But he compared that malicious evolution alongside cyber security advances.

The timeline includes a look at: vulnerabilities in DNS and FTP servers in the mid-1990s, then a focus on web servers after the deployment of firewalls. The hacker focus then became third party custom applications – which Golomb said resulted in the first generation of application firewalls and audit software. Golomb then pointed out that the focus shifted to clients, and the Windows platform. Then hackers began targeting browser plugins. In the next phase, malware increased, as did backdoor development.

Further, hackers then began to target standard system tools, making them harder to flush out of the network. Golomb ended the timeline with the industry’s shift toward quick-hitting attacks and the rise of ransomware.

He concluded, in part, by writing, “Without FUD (fear, uncertainty and doubt), we can rationally predict the evolution of the threat landscape and better identify the solutions to protect against the next wave of attacks.”

On the industry’s general trajectory, Contos also added, “Organizations will require a greater amount of automation across incident prevention, detection and response. They will require greater visibility into the effectiveness of their security controls and the capabilities of their teams and processes. This will allow them to focus on the highest priority issues while mitigating risks as efficiently and effectively as possible.”

In light of these rapid-fire technological improvements, there is another issue that must be addressed: the talent crisis. Recent data, reported on by the Cyber Security Hub, points to a projected 3.5 million vacant cyber security jobs by 2021. (The joint report came from Cybersecurity Ventures and the Herjavec Group.)

Sure, new technology glistens and promises to plug network gaps. But this systemic workforce issue must also be addressed on a cultural level inside the enterprise.

Of this entire matter, at least one point is certain: The media, vendor and publicity communities must do a better job at playing gatekeeper to eliminate much of the anxiety plaguing boardrooms. Indeed, it is a tall order.