10 Observations: The State of Cybersecurity
What is the true state of cybersecurity? Former US Marine Corp. Officer and Endgame CEO Nate Fick offered 10 answers during the Empower MSP conference hosted by SolarWinds MSP this morning in Phoenix. Here’s his Top 10 list, with key points paraphrased.
1. The Security community is in a state of failure. Customers spent $75 billion spent on cybersecurity last year. And yet 95 percent of enterprises are compromised. The average time a hacker sits undetected on a network is three months.
2. Equivalent spending between attackers and defenders doesn’t deliver a level playing field. Attackers can afford to be right only once. They’re unconstrained by laws and other restraints that hold the good guys back.
3. The barrier to entry for attackers is low, thanks to hacker kits and more. It took the US and Israeli government millions or billions of dollars to conduct a cyber strike against Iran roughly a decade ago. That attack code has now gone mainstream for anyone and everyone to use.
4. Swing and a miss: I missed this tip. Anyone else catch it? Send it to me and we will update observation number four.
5. Whole new areas of innovation are starting to transform the security landscape. He pointed to big data and aggregated machine learning world making better and better predictions. Machines will be everywhere and monitoring everything. The attackers will avoid the big surfaces. They’ll go after the gaps. Security is a big data problem — with folks swamped in alerts and false alerts. 2018 is the year of “prove it” in machine learning for security.
6. The need for independent testing is critical: Many security review businesses are pay-to-play reviews. Customers are pushing for independent reviews of security, and it has to become a norm.
7. Platform consolidation & managed security Are Accelerating: The consolidation and MSSP touch are required because customers are saying “security is not my business” and they don’t know which products — out of 2,500 — actually work.
8. The U.S. and businesses suffer from a “Fundamental Deterrence Failure”: Adversaries don’t believe the U.S. will launch a counter-cyber strike against attackers. So far, those attackers appear correct.
9. Hacking back is a terrible idea for businesses: The adversaries will always have escalation dominance — especially if they’re funded by nation states. The U.S. government, rather than businesses, need to ensure deterrence is in place.
10. Cyber risk is a core enterprise risk: There are only three ways to navigate cyber risk — accept it, transfer it or mitigate it.
Fick’s takeaway tips: CISOs and MSSPs must align with the business to get the right security priorities in place. He also strongly recommends that CISOs and MSSPs get the basics right — light patching and multi-factor authentication — before moving on to more complex areas like cyber machine learning.