Screaming into the Hurricane

Warning: Pre-Second Cup of Coffee Stream of consciousness"

Post converted to Article/Conversation.

As US Cyber Security professionals, you know that sometimes it feels like you are screaming into a hurricane. We are playing Lt. Dan on the shrimp boat. While we scream, beg, and or plead for patching, overwatch, and support, we are met with skepticism. We want to help, but sometimes it feels like we don't know where to start. We, those professionals, know of identity issues; patching regimens; audits, etc. We know that we need to bring the ideas to bear, but sometimes the audience needs to be educated on the basics. Sometimes the audience wants us to "Just take care of it." Where that is an issue is where business process meets security obstacles. We try to get across that we should be doing this just because it is the right thing to do. When the business is impacted, sometimes the "right thing to do" is pushed aside, for a while.  Apathy has ensued.

The reason for this is multi-fold. Products cloud our vision, and policies drown us in words, regulations are complicated, and frameworks are epic in their scope. The people we are protecting have become numb to the issues, the breaches, the follow-up actions required. (I would assume everyone in the US is now personally entitled to one (1) free year of credit watch coverage. ) We need a concerted focus as to how we drive security. We need regulation like a GDPR mandate that can help us drive the point with dollars to the top levels. We need to place the highest importance on the very thing we so dislike doing, maintaining the "Watch."  

Without that focused drive, we end up in endless breach scenarios that further cloud our practices. We end up like the most recent bank attack, advertising job opportunities for new security professionals. Whether that is attributed to more money or recent terminations, is not relevant. What is relevant is that Information Security, or lack thereof, was squarely the blame for the event. What doesn't seem to happen is that the business relooks at their practices in the light of the information security practices that were supposed to be in place previously. If the business process is affected, then we have to understand that impact vs. risk reduction.  

We buy insurance for a lot of things, but I would bet that coverage becomes more and more elusive in the light of increased payouts. That means insurance will start looking at more detailed procedures, policies, practices, audits, etc. What insurance is doing is finding more ways not to pay off the claims. That is their job. No argument there, but we need to understand how each exclusion affects our business. We need to translate that into risk, and that means possible loss of dollars.  

I argue that in the end that the current system is destined to eat itself. Look at other disciplines that have been affected by the loss/claim/litigation struggle, as some practices in the medical field. We, security professionals, need help. We need the US government to take this much more seriously. We need a comprehensive Data Security legislation. And, I believe, once enacted, promulgated and matured will save businesses monies. The real losers would be the litigators and the insurers.  

I wonder what your thoughts are regarding my pre-second cup of coffee rant.