You bought all of the tools and you still got breached. Effective cybersecurity requires a more expansive, nuanced, and human approach.
Forbes: Cybersecurity Sucks And Here’s Why: Three Truths To Accept
Working in cybersecurity sucks. The industry is costly, complex and ever-changing. Individuals we meet with from various organizations seem to have a general feeling of consternation with the environment in which they’re operating: decreasing budget, increasing regulation, relentless threats and confusing buzzwords. If there’s an opportunity for an unprompted 2023 cyber state of the union, it’d be summarized in one word: frustration. Let’s unpack why.
Over the past couple of decades, we’ve been taught that buying security tools is the best way to protect ourselves. First, we bought firewalls, then we bought anti-virus, and finally, we bought a security information and event management (SIEM) solution or a data lake. Lately, it’s become a complex decision tree of the latest conference’s alphabet soup: EDR, SASE, IGA, CTI or xSPM. But the unfortunate reality is that we’ve purchased all of these tools—and still got breached. Why?
The problem with this approach is that cyber is a systemic challenge that we’ve been treating with independent point solutions. Individual cybersecurity tools are not built to beat attackers; they’re built to sell. Each tool sees the world through its own individual viewpoint without regard to what its colleagues are doing. Consider individual chess pieces: Pawns, rooks and knights each have their own distinct capabilities and views of the board. By ignoring the combined capabilities of these pieces without looking holistically at the chessboard, the king is likely to be exposed. This is not a winning chess strategy—and definitely not a winning cybersecurity strategy.
If we want to improve our cybersecurity effectiveness, there are three existential truths we need to accept:
If we stop chasing tools and start embracing cyber as a comprehensive system to keep out a thinking, breathing, human opponent, we can think holistically about how our business is protected (or conversely, how we are exposed). Systemically integrating cyber controls is a prime example where the whole is greater than the sum of its parts. Do we have too many pawns and not enough knights? Are we able to integrate our tools to extract maximum value from our existing investments? Are parts of our business particularly enticing and vulnerable to attackers? If we shift our thinking to the current reality and ask ourselves the right questions, being in cybersecurity doesn’t have to suck.
See what we have to offer.