Industry Overview, An Anecdotal Take
Introduction...

Industry Overview, An Anecdotal Take

2024, Jun 14    

Risk management and risk identification related to cyber threats has become a complex problem for organizations and service providers to solve. Staying up on the latest threats and exposures and evaluating those across managed networks gets increasingly complex when technology and attack surfaces continue to expand at an exponential rate to support business operations. More importantly, and a more complex problem to solve, is having the right solution and processes to support what to do when the humans and processes in place are targeted or the next zero day is publicized, affecting a widely used technology by organizations across industries. If you are a large organization, identification of this threat and evaluation what risks (across various business units) stem from that threat needs to be expedited and strict attention needs to be paid to the overall time spent from initial threat identification time to remediation time.

Obviously, the goal is to minimize the time spent from identification and evaluation to ensuring fixes are in place to minimize threat impact. Unfortunately, what we have seen in some of the major breaches to large organizations lately is the lack of initial identification resulting in substantial damage to those affected organizations. More so, the issue with zero day vulnerabilities and risks that target the human element and created processes is the unknown nature of them. There is not a single organization that can account for every single attack vector that will be leveraged against them across their attack surface (technology, users, etc.) as well as having fortified responsive playbooks to account for these threats. Organizations that spend the most on resources to ensure the above often are in the news having the most impactful breaches known to date. For service providers that are contracted to protect industry and technology agnostic organizations, these problems seem insurmountable from a prevention standpoint, which is why so much focus and capital is spent on the responsive (reactive) sector of cyber.

An unfortunate understanding since I have been in this industry is the inevitable nature of the threats and impact of these threats that WILL happen to organizations of all sizes.

So why dedicate my professional career this challenge? Often, I think it is a fool’s errand to try to solve. However, this (right or wrong) is what attracts me to this industry. I like hard problems and laugh at companies that market themselves as the “quick and frictionless” solution(s) to solving this seemingly insurmountable challenge.

As an industry, I think better answers and solutions need to be developed in answering the question, “Why bother?”. I get this question frequently from family members and friends, and sympathize with this evaluation of where we are at due to the current state (volume + impact) of cyber threats. Evidence for the prevalence of this risk/reward argument can be understood from watching a recent interview of Dave Kennedy (Industry Expert & founder of TrustedSec & Binary Defense):

As he mentions in the interview, cyber threat and risk can (and will) never be eliminated; rather risk needs to be understood and assessed based on the organization’s appetite for it. From here, the business needs to evaluate the need for measures (controls) that should be put into place to minimize risk to the most critical aspects of their enterprise. These take resources (time + resources + money), security leaders who can articulate these risk-based decisions clearly, and executives who understand implications of them. While there is no silver bullet, there has been exponential progress in the approaches (processes + capabilities) organizations have made - and invested in - to take promising steps forward. I am going to stay away from giving my unfiltered opinions on where I think improvements could be made, because I would rather save that for future posts and research I will start publishing here. However, I want to share my experience to give perspective on why I have shaped my thoughts in this way.