Enough with the cyber 'wake-up calls'

We already know information security is in dire shape, so let's get on with fixing it — because we do know how.
Written by Stilgherrian , Contributor

Websense issued a "News Alert" on Tuesday, and I was overcome with a sense of déjà vu. It wasn't just because the report it plugged had already been a "News Alert" in April, one that was regurgitated again for journalists to swallow a second time. No, that happens all the time. It was because we should, said the alert, "Consider these survey results a wake-up call."

Now the report itself isn't bad, as far as such things go. Prepared by the Ponemon Institute and titled Exposing the Cybersecurity Cracks: Deficient, Disconnected and in the Dark, it points out some real problems that need to be addressed.

Many, if not most, organisations really aren't across information security issues. Of those that responded to the survey — and I'll come to that in a moment — only 43 percent agreed that "My company is protected from advanced cyber attacks", meaning that 57 percent thought they were not, or were unsure, which is effectively the same thing.

That figure was the same in Australia as averaged across the other countries surveyed: US, Canada, China, Hong Kong, Singapore, India, United Kingdom, Germany, France, Netherlands, Sweden, Italy, Mexico, and Brazil.

"Cybersecurity threats sometimes fall through the cracks of my company's existing security systems," said 69 percent globally, 58 percent in Australia.

"Has your company experienced one or more substantial cyber attacks during the past 12 months," defined as one that infiltrated networks or enterprise systems? Globally, 42 percent said yes. In Australia, 41 percent.

Amusingly, more than 40 percent said no. Perhaps they should have been forced to add "that we know of", because more than half, 57 percent globally, said they don't have adequate intelligence or are unsure about attempted attacks and their impact, and more than half, 56 percent globally, said that their security solutions do not inform them, or they are unsure if their solution can inform them, about the root causes of an attack.

There's further factoids to support the idea that many executives still don't get security — they don't equate losing confidential data with potential revenue loss, they "have a sub-par understanding of security issues", and so on.

But hang on.

We already know all this.

Verizon's respected annual Data Breach Investigations Report (DBIR), to take just one example, has consistently shown that data breaches generally take months to discover, and that most of the time they're discovered by third parties, and that most of the time the bad guys had an easy job getting in. The exact percentages move up and down a bit from year to year, but the general picture remains the same.

The same goes for the rest of the endless flood of vendor-sponsored reports.

Every vendor is eyeing the same global enterprise market. Every enterprise faces the same global threat landscape. It's no surprise that all the vendor surveys and reports generate much the same magic data-like cyber-dust, which is then puffed over every vendor's PR efforts for added credibility.

Any minor variation from survey to survey or country to country is pounced upon, whether it's statistically significant or not, tarted up with some generic feelpinion from a company executive, and branded with a word much beloved of PR operatives: insight.

But is it really "insight" to point out that we need to pay more attention to security? Hardly. Just glance at the endless news of data beaches and secure-programming oopsies.

Should we really take much notice of the precise-sounding percentages? No. Once a survey with fewer that 5,000 respondents across 15 countries is broken down, the per-country figures have a margin of error of plus or minus six percentage points.

Ponemon at least has the decency to point out an even bigger potential problem: the unknowable unreliability of a survey of a self-selected sample based on a mailing list, where the respondents are giving their perhaps-honest perhaps-not opinion about their organisation's readiness levels, rather than being measured against an objective standard. Other investigators are less ethical in this regard.

So is it really a "wake-up call"? Not really. We've had more than enough wake-up calls, as a Google search for "cyber wake-up call" shows.

I could go on, but that's already so many cyber wake-up calls that my cybersnooze button is worn out.

Everyone else's cybersnooze button seems to be working just fine, though, because we never seem to get past the wake-up calls to the next stage, doing something about it — which is silly, because we actually do know what to do.

Nearly two years ago, SANS Institute director of research Alan Paller told us to stop whining about security problems and just fix them. We know that infosec is in dire shape. We don't need any more reports telling us that.

We need to focus on what delivers results most quickly, and research has shown that's things like the Australian Signals Directorate's Strategies to Mitigate Targeted Cyber Intrusions or other research-based checklists, managed through continuous monitoring and measured risk reduction.

We need to increase everyone's ability to recognise and avoid attacks, not through cheesy theme songs, but proven programs like Dan Tentler's punch-in-the-face technique, or SANS' Securing the Human.

And we need better programming cultures and practices, to avoid repeats of OpenSSL's Heartbleed and Apple's goto fail.

Of course, all those vendor reports are really about selling product. The first two recommendations of the Ponemon report, for example, are "investing in technologies that provide visibility and details about attempted attacks" and "better threat intelligence and real-time defences". Surprise, Websense's marketing materials just happen to talk about visibility, threat intelligence, and real-time defences.

There's nothing wrong with selling products. To be fair, Websense's products do have functionality that can help organisations implement continuous monitoring and measured risk reduction processes. But the real aim here is defending enterprise networks.

Yet the vendors rarely tell us real-world stories about organisations that have beaten the bad guys using improved methodologies. They certainly don't tell us about any operational research they might have done, which might then tell us what techniques do and don't work effectively.

But it's precisely that kind of research, not feelpinions tarted up as "insight", that would materially improve every organisation's ability to defend their networks. And you'd certainly sell plenty of products if the techniques that require yours are proven most effective.

Editorial standards