cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dcontesti
Community Champion

Does Security Suck?

I read this article looking for some tidbits but didn't find any.

 

https://www.forbes.com/sites/forbestechcouncil/2023/09/28/cybersecurity-sucks-and-heres-why-three-tr...

 

I do not necessarily agree with the author about why Security sucks.  Does Security suck?  Maybe but then working in almost any industry can have the same three pitfalls whether a doctor, nurse, accountant, etc.

 

Do I believe "The cyber adversary is a human on the other end of the keyboard that is incentivized by a return on investment (ROI)."  Maybe but not adversaries are after money, some do it for the glory or revenge or just because they can.

 

As to Budgets, all departments in an organisation need to "fight" for budget and depending on the organization, Security might be at the top of the pile but in others, it is not as important (think here Heavy Manufacturing).

 

In security, we know we cannot sit back on our laurels and wait for something to happen, we always need to be thinking about "what next".

 

One thing that we need to be concerned about is the Burnout dues to trying to stay on our toes and handling emergencies as they happen.  

 

These are my thoughts only and would others opine..

 

d

 

 

2 Replies
Caute_cautim
Community Champion

@dcontestiWhat the author forgets is that the person at the other end will not be a person, either "it" will have no morals, no ethics and will be following pre-programmed instructions or as per Chat-bot fame or mad LLMs, having self delusions of grandeur and superiority in the wrong hands.

 

In terms of burns out, automation, orchestration and AI is already amongst us, whether we decide to take it and augment our employees is another matter altogether.   Burn out is prevalent, amongst those who still act in an reactive manner vs those organisation who adopted a proactive manner to tackling the problem.

 

The author appears to be wanting some five minute fame, but without much experience of reality.

 

Yes, humans are at fault for allowing such complex architecture and systems to be constructed, making it vastly more expensive, more complex than it needs to be.  Given Cloud environments for instance, the complexity and so many levels of abstraction which are assumed in many cases to be secure, but in fact are not, because everyone else assumed it would be secure. 

 

Regards

 

Caute_Cautim

 

 

Early_Adopter
Community Champion

Yes security sucks.

However, everywhere you look in human endeavour we have challenges, and nothing is really perfect or acceptable. I feel daily consternation at my breakfast! I don’t like having only seven(board nominated) candidates for five board slots, and no write in candidates on the slate! I’m sure the nominated candidates are great and apologies to them in advance… but That sucks, but I sucked it up, changed my behaviour and spoiled my vote! Consternation diminished! There something can be done! Security and ISC2 are not so bad after all… 🙂

“ If we want to improve our cybersecurity effectiveness, there are three existential truths we need to accept:”

Wait, what was that?

“ If we want to improve our cybersecurity effectiveness, there are three existential truths we need to accept:”

Oooh, three ground truths no (wo)man, can deny? Preach it!

“ 1. The cyber adversary is a human on the other end of the keyboard that is incentivized by a return on investment (ROI).”

Well this seems a little specific for a universal truth. Did you know lots of scammers and ransomed are operators can sadly be victims of trafficking and minders slavery?

“2 . Investments in cybersecurity will have to continually evolve.”

My investment in cybersecurity just grew fins! Oh I see, the author is yet to read about the “ecology” of software, first mover and vantage and dominant predator… that’s ok. Plus Cs Change - adapt or die. Seems a bit normal this one. Bet the next ones better!

“ 3. If you fail to expect, you can expect to fail.”

Oh dear… That’s clumsy. He’s riffing on ‘fail to prepare, prepare to fail’ which is much better. I think the first ‘expect’ could be changed to ‘anticipate’ to make it better from a meaning standpoint.

I mean it’s frilly and playful, has no deep truths but then I think the author is selling a managed security service for folk who can’t do it themselves, and let’s face it it gets harder. Let’s try to improve the three points for meaning:

1. Prepare for a capable, adaptive adversary;
2. As the threat landscape evolved so must your organisation and its controls;
3. Yeah this is a stretch… ok “ If you fail to prepare or anticipate how the threat landscape changes you’ll find yourself behind in the arms race and more vulnerable than if you were doing your job well.”

Anyway you know what I bet sucks more… plumbing!(but it can also pay pretty well for a MSSP or a human IGUS who fancies themselves a CAS and wakes up each morning being both a Quark and a Jaguar!)

(For a plumber just change MSSP to MPSP…)

This is the sad bit here:

https://www.asisonline.org/security-management-magazine/latest-news/today-in-security/2022/september...