The cybersecurity industry has failed. The evidence is everywhere and overwhelming. Anyone who understands that the industry was founded on the fundamental objective of preventing IT systems from breaches and data theft can surely agree that it has failed. Those who do not agree are not paying attention.
It has been more than 35 years since the first computer virus was reported.1 In 2019, the World Economic Forum added cyberattacks, data fraud and information theft to its Top 10 list of sources of long-term risk, which involved assessing how likely the risk was to come to fruition, how impactful it would be if it did and what risk factors were most concerning for global enterprises.2 More than 3 decades after the cybersecurity industry’s conception, 30% of the Top 10 list of global risk sources can now be attributed to it—the same risk the industry was (and is) professionally responsible for addressing. The cybersecurity industry has failed.
Regulations and Breaches
The first clear sign of failure was the onset of legislation and regulations such as the US Health Insurance Portability and Accountability Act (HIPAA), the EU Directive of Security of Network and Information Systems (NIS Directive), the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. When a government gets involved, it is because the industry has failed.
The increases in legislation and regulation are direct corollaries of the cybersecurity industry’s failure to protect systems and the data they process, store, and transmit. But the indisputable proof that the cybersecurity industry has failed lies in the breach statistics. The industry currently recognizes some alarming statistics:3
- 18,525,816 records are compromised every day.
- 771,909 records are compromised every hour.
- 12,865 records are compromised every minute.
- 214 records are compromised every second.
The increases in legislation and regulation are direct corollaries of the cybersecurity industry’s failure to protect systems and the data they process, store and transmit.
The breaches and regulations clearly show that the industry is not getting the job done. It was not designed to incentivize success, thus, it is failing.
The Failures of Product Vendors
Product vendors have also failed the cybersecurity industry. Why? Because their products simply do not work. They do not meet the challenges presented by the threats in our industry. That is a fact. The products are and have always been reactive, not proactive.
Product vendors have failed to keep pace with the skills, ingenuity and adaptability of the threat actors the industry faces. They are a step behind the threats when, clearly, their job is to be a step ahead. Consequently, threat actors have set the pace of the game and cyberprofessionals cannot keep up.
Vendors essentially sell cyberprofessionals knives to take to gunfights.
The Failures of MSSPs
Managed security service providers (MSSPs) have also failed the industry, but in a different way than vendors. Vendors sell products. MSSPs, technically, are selling a process—a product-centric process, but a process nonetheless. Monitoring, management or reporting solutions are purchased from MSSPs but the so-called solutions have failed. Failure is inherent in their design. These services are based on the products’ capabilities and not specific organizational requirements. They are not based on actual enterprise practices and processes. But to a vendor with a hammer, everything looks like a nail.
MSSPs provide packaged solutions that are easy to deploy but difficult for cyberprofessionals to integrate into systems, leaving large gaps in coverage. These gaps leave organizations more vulnerable to cyberthreats than before their security teams bought and installed the product. At best, these solutions are designed to address the problems that enterprises faced 20 years ago. They are useless in today’s threat landscape, much less tomorrow’s.
MSSPs provide packaged solutions that are easy to deploy but difficult for cyberprofessionals to integrate into systems, leaving large gaps in coverage.
The Failures of ISPs
Internet service providers (ISPs) have also contributed to the failure of the cybersecurity industry. ISPs provide the gateways to access the Internet. As such, they are in a unique position to control access. They open the door to the chaotic nightclub that is known as the Internet. Users pay the (monthly) cover charge and are let in, no questions asked. But this is a rough club. There are no minimum entry requirements and, once inside, there are no rules, no laws, and no policing. There is no difference between right and wrong. There are no consequences for bad behavior. On the Internet, anything goes, from identity theft to pedophilia. It is a rough place.
But maybe it is a rough place because ISPs let anybody in the door. Perhaps what they need to do is act as security for the club by denying access to those with nefarious intentions and throwing out anybody inside who is acting as a threat to the rest of the patrons. This is not to advocate for more regulation, but rather the implementation of some common sense and basic consumer safety measures.
Think how different the Internet could be if suddenly ISPs did a little house cleaning. ISPs should provide and enforce minimum-security controls for accessing their networks. They could filter malware, block malicious websites and prevent Internet protocol (IP) spoofing. Finally, they could report or even prosecute people who use their services to commit a crime.
What You Can Do About It
If you agree that our industry does not work and you would like to see change, then be the change you wish to see.
There are more than 4,000 enterprise-level cybersecurity products on the market.4 Vendors and service providers are vying for your dollar, your pound, your euro or your yen. Can you imagine the change that you could affect in the industry if, as a consumer, you started expecting more?
Exercise your power as a consumer. Expect more. Demand more. And maybe, just maybe, you might get it.
Editor’s Note
To learn more, register for the ISACA Conference Europe 2022 and attend Hollis’s session examining how the cybersecurity industry can succeed.
Endnotes
1 Historyofinformation.com, "Brain," the First PC Virus Epidemic, Created in Lahore, Pakistan
2 World Economic Forum, “Cyberattacks and Fiscal Crises Top List of Business Risks in 2019,” 1 October 2019
3 Sobers, R.; “89 Must-Know Data Breach Statistics [2022],” Varonis, 20 May 2022
4 AustCyber, United States Market Insights Report, Australia, 5 July 2021
Richard Hollis, CISM, CRISC
Is a director at Risk Crew, a cyberrisk consultancy based in London (England). He is a celebrated public speaker and an experienced trainer for the ISACA® Certified Information Security Manager® (CISM®), Certified in Risk and Information Systems Control® (CRISC®) and CSX Cybersecurity Practitioner™ (CSX-P™) certifications, and the Cybersecurity Audit certificate. Hollis has presented to hundreds of audiences across the world about a wide variety of information risk management topics and techniques. As a recognized industry authority, he has published numerous articles and white papers, appeared on national and international broadcast news programs, and been cited by entities such as the British Broadcasting Corporation (BBC), Microsoft/National Broadcasting Company (MSNBC), Radio 4, the Financial Times, Time magazine and other media outlets.