Too much focus on stunt-hacking, and not enough sensible advice? We hear you.
Facebook CISO Alex Stamos launched a withering attack on the cyber security industry in his 2017 Black Hat keynote. 'Too much focus on technically complex "stunt" hacks', 'not enough help for the mass of people to stay safe,' he said. 'Be more diverse and show more empathy,' he said, 'before it gets worse'.
Amen, we say.
Imagine if, instead of spending our time researching new ways to pwn Internet connected foot spas, we pointed our brightest and best people at ways to protect the masses from common forms of cyber-attack.
If we enabled everyone to adopt the 5 controls of the Cyber Essentials Scheme - then we might be talking about shrinking the economic loss by 80% instead of indulging in cheap pwn goals.
Alex Stamos identified the biggest issue facing the cyber security industry today. Namely, that it’s far more fun to break stuff than fix stuff. Who wants to be a goat when you can be a lion?
The impact of what is essentially, a cultural issue, is that the majority of people who actually have the technical skills to defeat cyber criminals are too busy breaking stuff, demonstrating what we already know: that we’re all vulnerable and the problem is getting progressively worse as we wire more parts of the economy together.
We’re like a football team full of attackers who refuse to track back from the opposition goal, and complain while their team loses because there’s no one willing to defend. A crude analogy, but you get the idea.
So how do we get better? How can we encourage the attackers to defend?
Maybe we can't – at least not any time soon. We’re asking a bunch of folks, whose lives and personal identities are defined by their poacher status, to turn gamekeeper. That’s no small change.
So how about we strive for new, disruptive ways to automate cyber security?
We often assume that we need to look for answers right at the top of the problem stack, when most organisations can barely discover, patch and configure their networks. If we had a pound for every organisation we have encountered who knew their network topology and patched consistently...we'd be broke.
The market needs infinitely better tools and services to solve basic problems that have been around for years – not silver bullets to detect the undetectable. If we could do the basics much better, at a price affordable for the masses, our cyber security losses would be much reduced.
We’re using our hacking knowledge to design tools, products and services that show off our tradecraft to best effect: by helping every person and every business to protect themselves…
…then we go muck about pwning foot spas.
If you're new to cyber risk management, we can help you find your feet. We can guide you through the process from cyber security assessment to penetration testing and even staff training. Find out more about the XQ assurance here.