Warning: buzzword alert!
My fellow infosec cognoscenti tend to bemoan the fact that, to misquote a popular phrase, “The attacker only has to be lucky once, the defender has to be effective all the time.” Some current buzzwords like “Zero trust” and “Active Defence” are really aimed at making it more difficult for an attacker to do anything harmful once they’ve established a beach head in your network (and they will – “assume compromise”). This used to be called “Defence in depth” so not really anything new.
But there’s a new theme of “It’s not working” which I have some sympathy for. The governance of cyber security tends to be based on passing audits rather than a business-focused risk management program. I’ve ranted before about the five questions that I think all organisations should continually ask, starting with an understanding of your assets and moving all the way to what would you do in the event of an attack. My practical experience of most businesses is that they don’t do any of these effectively without a regulator forcing them to. Even if they do put programs in place, they are as much about ticking the audit boxes as actually implementing best practise.
This Forbes article says the same thing…:
[…] The bad guys are winning. They are aggressive, hard-working, learning, inventing and focused on the goal of making money. The large army of the good guys is led by hapless, incompetent, unmotivated bureaucrats with meaningless certifications in this or that, consumed by building an audit trail showing that they’ve followed the ever-growing body of useless regulations so that when the nearly-inevitable security disaster happens, they can prove it wasn’t their fault. It’s clearly not a fair fight.
The security war isn’t like a war between nations. It’s more like a sprawling collection of gated communities infiltrated and attacked by myriad bands of criminal groups who break in, rob valuables and sometimes take hostages for ransom. The communities spend more money every year building walls that are higher and stronger and hiring ever more highly trained security people. Governments have multiple departments whose purpose is to stop the criminals directly and to help the communities better defend themselves.