This truism is regularly used to camouflage flagrantly inadequate cybersecurity. There might not be such a thing as perfect security, but there is such a thing as woefully inadequate security, technologies peppered with holes large enough to bring each enterprise down.
Technologies could save our planet, but vulnerable technologies are the fuel that pushes the cyber doomsday clock forward.
When the Doomsday Clock was invented by a group of atomic scientists just after World War II, the theory was that the dawning of the nuclear age presented a potentially cataclysmic threat to mankind. The Doomsday Clock was a symbol to help alert mankind to our potential proximity to the end of days, most likely due to our own irresponsible actions.
Since then, the time on this clock has been adjusted based on the threats to mankind, ostensibly created by our own actions inventing and innovating scientific and technological advancements without due care and attention to the consequences. The time on the Doomsday Clock is currently two minutes to midnight.
The parameters influencing the time on the Doomsday Clock now include information warfare, disruptive technologies and even artificial intelligence. In no small part, the time on the doomsday clock is being pushed forward by the fragility of the security being applied to the critical but pervasive technologies we now use.
Technology: It flies commercial planes, controls most train signaling, runs life-critical medical devices, regulates nuclear reactors and ensures our supermarket shelves are stocked.
How should we protect those technologies? By making the right security investments in them:
- Implementing security-by-design; ensuring that the organizations we work for treat security as a fundamental requirement and not something to try to stick on cheaply at the end.
- Having the right resources available; including enough of the right infosec people with the right cybersecurity skills, under the right leadership.
Are enterprises making those security changes and investments? It appears not. Moreover, it seems the gaps between the cybersecurity we should be implementing and what we are doing in the real world is widening.
It is estimated that the planet now has over four million unfilled cybersecurity positions and according to ISACA's Next Decade of Tech: Envisioning the 2020s research, the situation may not be about to get any better:
Are enterprises currently investing enough in the people skills needed to successfully navigate the changing technology landscape of the 2020s?
This was one of the questions within that ISACA survey, and 81% of the more than 5,000 global respondents provided a resounding answer: No.
Despite the warnings, the pace of technological threat evolution continues to exceed the rate at which defenses are improved. In 2018, the gap was about 10:1. In other words, cybercrime and digital disruptions cost the global economy ten times more than we spent on defending or defeating it.
Over one percent of global GDP now goes to cyber-criminals and that figure is on track to reach two percent before the end of 2021.
Each time a major attack is successful, the standard response is to infer that it was a sophisticated attack. In most cases that is blatantly untrue. There is still yet to be a major cyber-attack that cannot be analyzed back to the failure for the victim organization to identify and address a long list of basic security deficiencies.
The problem seems to be that people, whether executives or individuals, generally do not care about cybersecurity until it is too late. The rate technology is progressing feels as though it is too complicated and expensive to get on top of. Landing effective cybersecurity seems to require too much effort. Why bother if it hasn’t killed you or your organization yet?
The flawed philosophy of undervaluing effective cybersecurity will continue to unseat many organizations, and why are those organizations failing to attract or train the cybersecurity personnel they need? Look at almost any job posting in the infosec market and the answer is usually very clear. Most security departments are under-resourced, over-worked and report into the organizational structure in a way that prevents them from securing the investment and management support they need.
If you want your enterprise to be different, then consider how to buck those negative trends.
Innovative enterprises are succeeding at overcoming the shortages in the cyber skills market by making their organizations attractive places to work. They are investing in growing and training the cybersecurity people they need.
Whether we do or do not apply effective security to our technologies could ultimately make all the difference in turning back the Doomsday Clock.