The Heartbreaking Reality that is Cybersecurity

Cybersecurity is an uneven place full of sharp edges. Broken glass under foot. I don't have a fully formed theory–yet–as to why it's so different, so difficult, so unusual, so brutal, and honestly, so heartbreaking, compared to the rest of software engineering, but I'm on the verge of one. Maybe in a few years I'll figure it out. But in the meantime, I just have to deal with the strangeness as it comes.

I find the area fascinating and frustrating at the same time, and tidal waves (see what I did there?) of lucidity come and go. We see these waves out in the real world as well, as occasionally security practitioners can't take it any more and write down how they feel about the industry. Like, for real how they feel. The hard truths.

Hard Truths Your CISO Won't Tell You

Every once in a while, a great article or piece of content comes along through my filter/feed/algorithm that helps me see the threads that tie it all the strangeness of cybersecurity together. "Hard Truths Your CISO Won't Tell You" is one of those pieces.

Link - https://www.slideshare.net/slideshow/hard-truths-your-ciso-won-t-tell-you-pdf/271536326#18

Travis McPeak, co-founder and CEO of Resourcely, put up a set of slides from a talk he gave called "Hard Truths Your CISO Won't Tell You".

He's broken it up into a few sections, not all of which I'm going to repeat here, but the honestly, the "hard truth" of it all, is refreshing, and terrifying at the same time–like an unexpected splash of cold water. Annoying, but it wakes you up. Draws up something primeval out of the old lizard brain.

In the slides, which include notes, he talks about:

1. The Business of Security
2. The Security Organization
3. Security Practices
4. Good News

Here I'll just take a look at the first section, "The Business of Security" as there is enough here, in this little section, to last a lifetime of cybersecurity work.

The Business of Security

The reality is that businesses have to make money, they have to generate revenue and make a profit. That's what they do. That's why they exist.

To make matters worse, it's always easier and cheaper to build a product or sell something without security. That's part of the problem, the weirdness of cybersecurity–it's not necessary to make money. We don't need security to make a profit. We should have some security, of course, but it is not absolutely necessary. Just like in some places in the world you don't need to lock your doors. But in other places you do. And put bars on the windows. And get an alarm system. And video cameras. And reinforce the doors. But if we just lived in a safe place, we wouldn't have to do any of that. But there seem to be fewer and fewer safe places, especially when we're talking about software. In software, on the Internet, there are no places where you can leave your doors open.

So business goals will always (always) win out over security. Sometimes this is obvious, other times we, as cybersecurity practitioners, simply forget that side of the equation.

Some points Mr. McPeak makes:

• Business > security
• Compliance > Security
• Compliance incentive to "check the box"
• Companies are fibbing about their security to customers
• Humans are bad at estimating future risk
• Security is qualitative
• Security is more art than science
• Security is a cost center
• We don't know if security works
• Most companies live below the security poverty line
• Security breaches don't matter (much)
• Privacy is dead

I won't get into each of these points, but I will cover a few that I think are important.

Qualitative and Art > Science

McPeak says the below in his slide notes on the qualitative aspect:

If you’re in the business part of the business, you speak in dollar terms – unblocked customer deals, revenue growth, etc. In security we tend to talk about “criticals” vs. “mediums”, stop light colors, 1-10, and other very squishy measures of risk. How do we assess these? Are two yellows worse than a red? Is one yellow worse than the other? If we don’t fix the yellow, are we in trouble?

Here are his notes on the art vs science component:

Because of our stop sign colors and poor understanding of risk, it’s hard to define an absolute cut line on security unless compliance mandates something. Should we roll out 2FA this year? We can estimate how much it will cost, but what will that produce for us? Somebody has to make a gut call and justify it to leadership. What if we can only do 2FA rollout or build that new feature a pile of customers have been asking for? Testers often don’t follow repeatable processes, [are] vibes based.

This is another piece of the cybersecurity puzzle in that it's not...deterministic. It's a bunch of "gut" decisions, people making (usually) educated guesses. You can't just apply "security", it has to be well thought out, there are different types of attacks that can take place, different types of tools, new tools, new attacks-in some cases it requires a different mindset. There are also qualitative issues in determining and explaining risk, as McPeak discusses, and even then determining what to do from a security perspective is extremely difficult: it's political and it's complicated.

The Poverty Spending Line

Unfortunately, because security is such a strange beast, because cybersecurity is so involved, because we need so many different strategies and prevention systems, there is a spending line that is required to have enough protection, and most companies live below that line, this "security poverty line." Think about all the midsize and larger companies that have been ransomed into oblivion– they were probably all living below the poverty line.

There is also a recent post in Venture in Security by Ross Haleliuk discussing the same topic.

Every day, we read about the continuing growth of the cybersecurity market, the rising number of breaches, and the ever-increasing demand for security solutions. In all this cacophony of signals, it’s too easy to miss an important but rarely articulated truth: outside of the top 2,500-5,000 enterprises and publicly traded corporations, few businesses have dedicated cybersecurity budgets. - https://ventureinsecurity.net/p/lifting-the-world-out-of-the-cybersecurity

The default level of cybersecurity is very low. If you just start writing some software to accomplish a goal, it's virtually guaranteed to be insecure. To raise that bar we have to spend money on tools and training and experience, all of which is in short supply, and of course, costs money. So many–if not most–organizations simply go without, hope that they aren't attacked, and deal with it if they are.

He continues:

The cybersecurity poverty line problem is real, and there are no signs that it is going to go away anytime soon. On the contrary, it appears to be getting worse. According to the Global Cybersecurity Outlook 2024 Report produced by the World Economic Forum in collaboration with Accenture, “There is growing cyber inequity between organizations that are cyber resilient and those that are not. In parallel, the population of organizations that maintain a minimum level of cyber resilience is disappearing. Small and medium enterprises (SMEs), despite making up the majority of many country’s ecosystems, are being disproportionately affected by this disparity. The number of organizations that maintain minimum viable cyber resilience is down 30%. While large organizations demonstrated remarkable gains in cyber resilience, SMEs showed a significant decline. More than twice as many SMEs as the largest organizations say they lack the cyber resilience to meet their critical operational requirements.”

We Don't Know if Security Works!???!?

Let’s say we do the 2FA rollout. Are we going to get breached? Maybe? Is the security team too small, the right size, or too big? What did the business get this year for security dollars spent? Are we doing well?What would happen if the security team was 1/5th of the size next year?

Terrifying. No matter what we do, we're never sure that any cybersecurity work is going to save us. How can this be? After all this work–still we don't know? Heartbreaking.

Heartbreaking Reality

At the end of the slides, at the end of reading through the notes, at the end of writing a piece of software or looking at a vulnerability report... we are left to contemplate the existential terror of cybersecurity. And it is indeed, at least for me, quite heartbreaking.

But we can't be defeatist! Yes, it is a lot of work, blood, sweat and tears. But there seems to be a kind of universal truth–security takes and doesn't give a lot. It's always cheaper to do nothing. So we have to work as hard as we can to understand where we can put that money, those resources, to do the best job. We take things apart and put them back together as best we can.