Cybersecurity dead? Good thing risk management isn’t.


There’s an article this morning on Forbes from the CEO of UpGuard called “Cybersecurity Is Dead”.  The message is one you’ve heard: that looking for specific vendor solutions to plug holes isn’t super useful, that the future has to be a more holistic integration of security into all areas of the organization, that old models of “building moats and walls” don’t solve today’s problems in any kind of long term way.  It’s all true of course.  There are also some shots at Crowdstrike along the way:

Crowdstrike  [advertising]… pose[s] a pernicious yet seemingly tidy answer: “Yesterday’s Antivirus Can’t Stop Today’s Cyber Attacks. Crowdstrike Falcon Can.”   Irresponsible hyperbole? Or is it a pitch made in good faith, albeit one as confident as it is ignorant?

LOL!  See what they did there?  The construction tees it up such that neither of the options (either willfully irresponsible or ignorant and overconfident) are particularly flattering to Crowdstrike.

Now, poking Crowdstrike is of course fun, so don’t let me get in the way of that… but marketing is marketing.  One could paraphrase this claim along the lines of: “there exists at least one vulnerability that cannot be detected by an unspecified subset of anti-malware products but that can yet be stopped by our product when used in an unspecified configuration, employed in an unspecified context.”  Hard for that not to be true, right?  Is it universally or generally true?  No.  But do we expect it to be?

Look, is this any different than somebody (UpGaurd) saying that their solution, “…provides complete visibility into IT assets and makes understanding cyber risk a simple matter for any manager or C-level, whether they’re technical or not“?  Complete visibility?  All risks?  Meaning, every possible risk across every device/host/app/person in my environment becomes immediately transparent (even to the “meanest understanding”) if I just sign the check with UpGuard?  Of course not.  So again, factual within a certain context that goes unspecified by the claim… it arguably differs in degree, but not in kind, from the Crowdstrike claim and thereby it seems somehow unfair to me to ding Crowdstrike if you’re doing the same thing yourself.  I should tell you in fairness though that the UpGuard site sticks pretty close to avoiding “spin” statements.  I had to work pretty hard to cherry pick the one I found above… some vendors require less work by far.)

But whatever.  I went farther into that than I intended to.

The point I was trying to make was that the claim about cybersecurity being dead is something that I think has merit to consider but I think highlights a flaw in what we expect security as a discipline to do.  Meaning, when somebody says “cybersecurity is dead”, it’s usually on the basis of two things:

  • People still get breached despite security activity *or* there are more breaches in aggregate over a certain time period
  • This happens despite increased investment, effort, changes in approach, etc. etc.

Therefore, the implied expectation is somehow that “cybersecurity” means you don’t get breached.  And when you do, it implies that somehow security isn’t working.  This is a flawed assumption.  In the physical security world, nobody would expect this to be true for example.  Does having security at a bank imply that banks never get robbed?  If so, where’s the line at which it becomes impossible: is it when I have one guard or when I hire my twentieth?  Is there some “critical mass” of security beyond which robbery becomes impossible?  No.  So is it dumb to have security?  Should banks get rid of their guards because there are still bank robberies?  Also no.  Instead, it is a risk management decision of which “being robbed” is only one possible variable in the equation.  Yesterday, I went on a rant about people not doing risk management — and I think assumptions like this one are part of the reason why.