American corporations have a high degree of cybersecurity risk awareness, and yet many enterprises, especially in non-regulated sectors, fall short in their cybersecurity stance. This is mainly because executives see security as an ROI-less investment mandated by regulation.
Even worse, executives suffer from two psychological biases: “We haven’t suffered a breach this year, so no need to invest more in security” and “We will be hacked anyway, so all this security stuff is voodoo and a waste of our money.”
Even so, no one can ignore the severity of cyber threats today. Ask anyone in corporate America and they’ll tell you that cyber risks are real. Heck, even Warren Buffett warned recently that cyberattacks are ‘the number one problem with mankind.’ This is not surprising given all the recent high-profile security breaches, from the Democratic National Committee hack to the Chipotle breach.
But the way the cybersecurity industry has reacted to these threats has created deep mistrust among its customers. The fact that no solution provides one hundred percent security forces organizations to install and maintain between six and 50 different security products.
Focusing on alerts generation, these security systems create too much noise, most of which consists of false positives that eventually result in alert fatigue. Even when an actual breach has been detected, it can take a long time to remediate completely because these solutions do not present the full scope of the incident.
This reactive ”action and response” behavior cycle continually puts the “defending team” on its heels, reacting to, rather than understanding, what is really happening. This is obviously very frustrating for executives who see the company bleeding cash for improved security but in effect achieving very little.
Some executives call for greater government involvement, noting that their organizations lack the resources to secure against sophisticated attacks. Government initiatives to secure the private sector are almost always insufficient, because it’s impossible to gauge the security stance of each and every company and recommend (or order) the implementation of specific security means. To do so would require a nationwide cybersecurity federal auditing task force, and no one wants that.
The same goes for sector-wide information sharing. Companies are not incentivized to share information about threats and breaches, because they include legal liabilities (and potentially regulatory ones as well). But even if they were incentivized, the shared information would likely be very general and vague, requiring an extremely capable chief information security officer on the receiving end to digest it and implement required security changes.
The answer is not to impose more regulations, nor to enforce companies to share information, but to make sure they can get the basics right. It’s really more about proficient manpower, training, and guidance than more technology.
In this regard, the NIST Cyber Security Framework provides relevant guidance for most companies, and it’s up to them to implement it. But there’s a catch here: even the most comprehensive framework implemented to perfection does not equal one hundred percent security.
This is something enterprises must understand. They need to switch from an insurance-like mindset to a military mindset. When they are able to shift from a “let’s do as the guidelines say, so we won’t have to worry when a breach occurs” philosophy to a “let’s follow the expert advice and proactively prepare for a breach” mindset, then we’ll start to see fewer breaches, better handling of them, and improved communication with peers and the public alike.
Gilad Peleg is chief executive officer of SecBI, a threat detection company.