Today I saw an announcement for another cybersecurity leadership council filled with the usual suspects:
“When it comes to the cybersecurity of our networks, the private sector has the capabilities and the market has produced good solutions. Now we need to focus on mitigation of cyber risks through cross-sector information sharing efforts, public and private partnerships, and the improvement of cyber hygiene of businesses of all sizes,” said Howard Schmidt, a partner at Ridge-Schmidt Cyber, and chairman of the council.
Sigh. Let me give this to you all straight:
First, our cybersecurity exposure is fundamentally created by how businesses go about making money. It’s about corporate discipline, perception, culture, value chains, investment strategies, procurement, marketing, communication, trust, operational quality, etc. Cybersecurity state is NOT primarily a function of anything that happens in a CISO’s office, It has very little to do with Information Sharing (as typically defined in this conversation), and Public Private Partnership success depends on having some sort of comprehensive problem space model which precedes conclusions (and the language provided starts with conclusions without a consensus problem space model anywhere).
CISO’s activities are done as a result of a business’s actual exposure – created OUTSIDE of the CISO’s office – business perception of its risk – created by its culture – and actual threat actors – which neither the business nor the CISO’s office directly controls. Therefore any conversation or effort centered on how to do “Cybersecurity” better will, almost by definition, fail. “Cybersecurity”, if defined as “activities centered around the CISO’s office and levers to enable the CISO’s office”, has little to no influence or control over the business risk level created by ICT (Internet Connected Technology) use because it neither controls nor influences ANY of the primary environmental factors.
The problem is, since coordinating solutions on the non-CISO’s office problem space (exposure creation) requires dealing directly with how businesses make money, it’s a really tough nut to crack (legally, politically, financially, culturally, etc) and few are willing to do it. It’s MUCH easier to focus on the CISO’s office – even at the expense of success. And, besides, we have a whole security industry telling us that another box or service will solve the problem. (For those not following along, what they mean by “solve the problem” is “hold the line until you slowly drown in the cascading consequences of rising complex conflict interactions online”)
Further, technically, even if we did move the conversation to “how we do business in general and how that creates exposure” – which NONE of the language around the new group even smells like it might be saying – the way we build IT and OT infrastructure is not securable to the level we desire it to be for the cost we wish to pay. Full stop. This is not a “security” problem, this is a mathematical complexity problem that has to do with error rate and organizational competency across time and disciplines. Moving further on “cybersecurity” without changing the surrounding technical environment – transformationally, not evolutionarily – is an abject waste of time.
Anyone telling you different is selling you something, ignorant, or has unfortunate perspective blinders on.