Taavi Must is Founder and CEO at RangeForce, which provides a scalable, cloud-based and interactive cybersecurity training platform.
getty
The cybersecurity industry is plagued by dated myths and fallacies. Some of them may have been true in the past, but today, they work against us. Here are five old-school beliefs we need to put to bed.
Only security teams understand security.
Most cybersecurity practices evolved in the early days among a small group of people who knew how to hack systems, as well as how to defend them. They were smart, with a very deep understanding of IT — networks, servers, applications, etc. — and emerging cyber threats. Over the years, they became a closed group, not because they wanted to be isolated, but because they felt other IT people just didn’t get it.
These early infosec pros shared their views, but virtually nobody listened to them. They were always the “no” person in the organization, preventing people from getting work done, all in the name of information security. IT security personnel often assigned human error as the source of data breaches, which didn’t make them very popular.
Security teams came to think of developers or IT as hopeless, because they didn’t understand cyber. This led to them developing a self-defeating “us versus them” attitude.
Organizations need to enlist everyone’s support in fighting cyber threats, not just the security team. A company is only secure as its weakest link.
Cyber is all about the tools.
Dealing with a small group of cyber experts, enterprises are left with a major problem: How do you scale cyber defenses? The only option is technology. In fact, companies spent over $167 billion in 2020 on cybersecurity, most of it on security products, and that’s going to grow by almost 11% every year through 2028.
But after a decade of boosting spending on tools, the spike in cybercrime we’re witnessing today shows that tech isn’t a universal solution. Every vendor is promising a silver bullet, but each new technology comes with a price tag in time and money, creates adoption disruption, requires training to master and offers no guarantees that it will improve the organization’s overall security posture.
To a certain extent, tech tools have made life even harder. “Alert burnout” is real, and companies need to worry if their security analysts are unnecessarily spending their days chasing down automated alerts of suspicious emails, instead of investigating real threats.
The IT space is expanding, mistakes are unavoidable and that opens doors to attackers. Without the right tools, there’s no chance for success, but we need to use tools properly. Any new technology needs pros who are trained to use it, maximize its effectiveness and make it work with other tools.
Cybersecurity training is fundamentally broken.
As mentioned earlier, security pros tend to think there’s no point in training IT staff and others outside the cyber circle of trust. And that’s not necessarily wrong: The old school of lather-rinse-repeat training doesn’t wash. Reading text and completing quizzes to tick a box in an annual compliance questionnaire is just not effective. Hands-on, self-directed learning, on the other hand, has proven to be a much better way to change behaviors.
Because all good hackers are self-learners, and cyber practice emerged from the hacker culture, security pros know that old-school education never works. Once-a-year classroom training is a waste of time, and they know it; 65% of pros in a recent poll said their organization wasn’t giving them enough training to keep up with the risks they face.
Training can be effective if it’s a continuous process, tailored to the skill level that is right for the learner and relevant to their work in the organization. Your security people need to embrace that type of learning and advocate for it.
A good SOC will save the world.
Having a well-trained and staffed security operations center (SOC) that coordinates threat intelligence and defenses certainly helps your organization’s security posture, but it’s not enough. If your systems aren’t built correctly, then you can’t defend them. The Great Fire of London was so damaging not because the city didn’t have firefighters or the Thames didn’t have enough water. London burned down because the city was built in a way that made it almost impossible to stop the fire.
The culture of cybersecurity has to embrace security-by-design. Systems need to be built with security in mind, not deployed and then presented to the SOC so their staff can make them safe. Security analysts should be involved in every stage of development, not just to run some pen testing when it’s time to throw the switch on a new app or cloud service.
If we truly want to stop the “cyber fires,” we have to educate everyone in IT, as well as end-users. Cybersecurity needs to be democratized.
Hackers are always bad.
While hackers wreak havoc on systems, their activities are increasingly carried out by criminal gangs. In most cases, it can be a job like any other. In countries with poor economic conditions and limited options, hacking can be an enticing path for technology-inclined individuals to make money. Given the opportunity and access, a large portion of “black hats” could adopt a “white hat” role. Relaxing requirements for certifications and training in the hiring process could open the door for hackers to join the right causes and earn a livable wage.
In fact, only 13% of cybersecurity professionals actually pursued an education in cybersecurity before they got their first job in the field, according to a study released this year by (ISC)², the association of certified cybersecurity professionals. More than half said a security education was “nice to have,” but not critical.
Even though cybersecurity as a discipline is still in its infancy compared to computing as a whole, it has evolved at breakneck speed since the emergence of the first virus in the 1980s. However, much of our thinking about cybersecurity is still bogged down by outdated thinking and principles. This has to change if we want to keep up with our adversaries.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
