Got cybersecurity problems?
Well, the good news is the same as the bad news — you’re not alone. The world of security has a big data problem and an even bigger people problem.
Enterprise connectivity has drastically increased in the last decade, meaning every employee, contractor, and vendor has some level of access to corporate networks. To support this growth, companies monitor exponentially increasing infrastructure and traffic, producing a steadily rising volume of data. Legacy data tools are typically purpose-built and don’t efficiently handle scale, complexity, or new data types. For many teams, simply getting data in and around systems is a never-ending game of catch-up.
Data dilemmas aside, even if teams can get ahead of their data issues, that won’t address the source of most security failures. Those are people problems.
According to a recent report by Verizon, “The human element continues to be a key driver of 82% of breaches.” Why? Hackers love using social engineering attacks and privilege escalations to log into accounts because it’s faster and more profitable than hacking. Organizations spend tons of money on tools for prevention and detection when, most of the time, security comes down to the person behind the keyboard.
Training only works when people actively engage with it. If given the option, most people will opt to play instructional videos in the background while doing something else, ‘learning’ only enough to answer a question that will advance them to the next section. Security training has come a long way, but more needs to be done to ensure people retain the information and put it into practice in their daily work.
But what, if anything, can be done?
People problems usually boil down to communication problems. In the case of security, there’s often a massive disconnect between the nerds (I use this as a term of endearment) writing training videos and the average user out there clicking on phishing links in Gmail.
A more diverse cybersecurity workforce could help bridge the communication gap by helping organizations to talk about security from different perspectives. Relating foreign concepts to things people already understand helps them understand and retain them more effectively, but requires hiring from diverse backgrounds who can build that context.
We take this context-driven approach when explaining Cribl Stream to folks in different industries. Operational technologists in the oil and gas industry respond better to language around “upgrading their data plumbing.” In contrast, an e-commerce data analyst would prefer to hear about “streamlining their real-time analytics pipeline.” Same product, different messaging, based on the recipient’s contextual background.
The same approach would go a long way toward helping make people more literate in cybersecurity. If we can explain security in terms that people already understand, cybersecurity becomes much more relatable for people who tend to tune out whenever they hear technical terminology.
Finding people who can better explain the importance of security to the general public is much easier said than done. As it stands now, there are only about 75 people available for every 100 open jobs in security in general, and far fewer people with diverse backgrounds and stellar communication skills.
It appears we have a pipeline issue. To solve it, we need to start cybersecurity education significantly earlier. Technology education, in general, has lagged in schools, and especially so in cybersecurity. I love that my kids have Chromebooks as a resource in school — but based on the number of times I’ve had to wipe their less locked-down, non-school Chromebooks because of malware, the schools rely on lack of access to the outside web, not better training, which isn’t creating more security literate users.
While we need to start teaching people about security from a significantly younger age, we will only reap the benefits of better education after several years. Cybersecurity is a problem that won’t wait for our education system to catch up, and cyber criminals don’t seem to have the same issues with recruiting and training new talent as corporations. We must progress toward solving this problem now; hopefully, a few regulations headed down the pipe may help.
No single strategy or solution will unilaterally solve our security problems, but the new SEC rules around Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure may be a good start. Its thanks to the early implementation of these new rules that we know about the Clorox and MGM hacks, as well as the Johnson Controls hack, which is significant due to its potential to disrupt data centers due to JC’s critical role in providing mechanical components.
For years, enterprises have taken calculated risks in areas where they know their security could be significantly better and accept those risks privately. Under the new SEC rules, registered companies will be required not only to disclose ‘material’ cybersecurity events, but also to outline the conditions they consider in determining materiality, making public the risks they are taking knowingly.
These increased regulatory scrutiny and public transparency requirements may lead companies to reduce the level of risk they are prepared to accept and allocate more of their budget to security initiatives, but only time will tell.
In addition to new SEC rules, cybersecurity risk insurance will also be a key driver of enterprise behavior. We have seatbelt laws in place today because of a lobbyist-fueled state-by-state legislation campaign funded partly by auto insurance companies — and cybersecurity insurance will likely follow suit.
It’s becoming increasingly difficult and cost-prohibitive to get cybersecurity risk insurance — better underwriting standards will help make insurance more affordable by providing guidance on security posture. This should help to drive more organizations to reduce their risk tolerance and make changes that improve their posture, especially for companies that rely on government contracts and other work that requires insurance coverage.
The sooner this happens, the better. More unaffordable insurance means fewer companies will choose to accept the risks associated with self-insuring. If a company estimates that it will experience one major breach every five years and that it’s cheaper to remediate or pay ransom than to pay an annual cybersecurity insurance policy, then what incentive is there not to?
The danger of the self-insuring trend catching on is that it will leave the door open to more lax security policies and, thereby, large-scale ransomware or supply chain attacks. Another Solarwinds-style attack could devastate the entire economy if it happens on a larger scale. The industry must proceed cautiously down the road of self-insurance without significant regulation.
If not, or if we fail to contain systemic risk in cybersecurity the way we did with the mortgage industry, the federal government may have to step in as an insurer of last resort to protect against a future financial crisis. Unfortunately, this mechanism would be more complex than how the FDIC operates in the financial sector.
Data domicile issues and governance would cause challenges due to the global nature of most information, so even determining who is responsible for damages could be a multi-national ordeal. An international, non-government organization could provide insurance, which may result in a situation where only those who can afford this insurance are protected, and others are left vulnerable, so there really isn’t an easy answer.
The challenge of making technology and security more equitable, recruiting a more diverse workforce, training them adequately, keeping them from clicking phishy links, insuring their organization against the fallout of those clicks, and then cleaning up the mess isn’t a new one, but the arms race between defensive and adversarial technology is heating up and the next few years will be pivotal in helping our society move forward safely.
Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.
We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.