{"id":280,"date":"2017-06-08T16:02:51","date_gmt":"2017-06-08T16:02:51","guid":{"rendered":"http:\/\/securitycurve.com\/?p=280"},"modified":"2017-06-08T16:02:51","modified_gmt":"2017-06-08T16:02:51","slug":"cybersecurity-dead-good-thing-risk-management-isnt","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=280","title":{"rendered":"Cybersecurity dead? Good thing risk management isn’t."},"content":{"rendered":"

\"\"<\/a>There’s an article this morning on Forbes\u00a0<\/a>from the CEO of UpGuard <\/a>called “Cybersecurity Is Dead”. \u00a0The message is one you’ve heard: that\u00a0looking for specific vendor solutions to plug holes isn’t super useful, that the future has to be a more holistic integration of security into all areas of the organization, that old models of “building moats and walls” don’t solve today’s problems in any kind of long term way. \u00a0It’s all true of course. \u00a0There are also some shots at\u00a0Crowdstrike along the way:<\/p>\n

Crowdstrike \u00a0[advertising]… pose[s] a pernicious yet seemingly tidy answer: “Yesterday\u2019s Antivirus Can\u2019t Stop Today\u2019s Cyber Attacks. Crowdstrike Falcon Can.” \u00a0 Irresponsible hyperbole? Or is it a pitch made in good faith, albeit one as confident as it is ignorant?<\/p><\/blockquote>\n

LOL! \u00a0See what they did there? \u00a0The construction tees it up such that neither of the options (either willfully irresponsible or ignorant and overconfident) are particularly flattering to Crowdstrike.<\/p>\n

Now, poking Crowdstrike is of course fun, so don’t let me get in the way of that… but marketing is marketing. \u00a0One could paraphrase this claim along the lines of: “there exists at least one vulnerability that cannot be detected by an unspecified subset of anti-malware products but that can yet be stopped by our product when used in an unspecified configuration, employed in an unspecified context.”\u00a0\u00a0Hard for that not to be true, right? \u00a0Is it universally or generally true? \u00a0No. \u00a0But do we expect it to be?<\/p>\n

Look, is this\u00a0any different than somebody (UpGaurd)\u00a0saying <\/a>that their solution, “…provides complete visibility into IT assets and makes understanding cyber risk a simple matter for any manager or C-level, whether they’re technical or not<\/em>“? \u00a0Complete visibility? \u00a0All risks? \u00a0Meaning, every possible risk across every device\/host\/app\/person in my environment becomes immediately transparent (even to the “meanest understanding”) if I just sign the check with UpGuard? \u00a0Of course not. \u00a0So again, factual within a certain context that goes unspecified by the claim… it arguably differs in degree, but not in kind, from the Crowdstrike claim\u00a0and thereby it seems somehow unfair to me to ding Crowdstrike if you’re doing the same thing yourself. \u00a0I should tell you in fairness though that the UpGuard site sticks pretty close to avoiding “spin” statements. \u00a0I had to work pretty hard to cherry pick the one I found above… some vendors require\u00a0less work<\/a>\u00a0by far.)<\/p>\n

But whatever. \u00a0I went farther into that than I intended to.<\/p>\n

The point\u00a0I was trying to make was that the claim about cybersecurity being dead is something that I think has merit to consider\u00a0but I think highlights a flaw in what we expect security as a discipline to do. \u00a0Meaning, when somebody says “cybersecurity is dead”, it’s usually on the basis of two things:<\/p>\n