The last time I posted on this blog, I was writing about some warnings sent to companies regarding online risks – an entirely apropos topic as the USA’s National Cyber Security Awareness Month draws to a close. I’d like to expand a little bit on one of the threads in that last post, because while I think pushes such as ‘awareness’ are important, I am increasingly flummoxed by our overall expectations on what this awareness will do for us...but let me expand.
First, I should credit the source of the title of this post, which is shamelessly borrowed from Mark Neocleous’ book “Critique of Security.” While Mark’s book is far-reaching (and worth studying, though it is anything but a light read, and quite polarizing!), one chapter that I particularly enjoyed made me realize why I sometimes struggle a little with cyber warnings. Why? Because ‘emergency’ is very much the new normal – we just stumble from crisis to crisis. In such a world, given that the exception is no longer exceptional, treating it as such is pointless.
While the subject matter of Neocleous’ book is about security in its broader sense, many of the same concerns he raises can be applied to cyber security. The question then becomes, in a world that is always in crisis, how should we think about warnings, awareness, and response?
First, I would argue that recognizing the true state of play is critical, as without knowing where you are, it’s impossible to really know how to maneuver to get where you want to be. Coming to a realization that security operations are continuous, and that threats are never-ending, is step one in building up the right worldview. Awareness is a full time job.
Second, given that we’re in our current state of “emergency” it’s important to think about what we want our warnings to accomplish…warnings need to be actionable. Using this lens, letting defenders know about IoCs which can be searched for is actionable; warning in general terms about a targeted email attack in general is not. We’re already – and permanently – on high alert.
This neatly leads me to my third point: we need to be cognizant that it’s going to be difficult to raise awareness more than it already is. Humans are, above all else, human…that is, we’re emotional more than rational, and so getting your end users to change is capital-H Hard. Not impossible, but hard. When a user is trying to pay expenses, respond to an email, or close a sale, her mind is not on security but on the task at hand. That’s just part of being human. There are clever ways to help with this, but we’re not quite there yet. When you’re thinking about defenses, that’s a reality you have to accept.
So, what’s a CISO to do? Throwing one’s hands up in despair does not a solution make.
Personally, when I see October come and go, my response to National Cybersecurity Awareness Month is straightforward and simple. I pick one thing. Just one, usually one of the ‘basics’ that I think we’re not executing on as well as we should…and I make it my mission to nail it. Maybe for you, it’s a company-wide approach to patching. Maybe it’s the “development” workstations that you don’t monitor appropriately. Maybe it’s backups. Pick one thing, and fix it. If we can all take on a project like that, October will move us into a more secure place for 2018.