Time for a Change of Approach

Roger Temple, Information Security Manager,

Roger Temple, Information Security Manager,

The internet is resplendent with InfoSec advice about what you should or should not be doing to secure your organisation and its data. Given the number of headlines we see around security breaches on a daily basis (and to me, what seems to be an increasing number), this advice either is not getting across or is not appropriate (often very simple), and security controls are not being implemented.

We have a plethora of standards across the world that provide frameworks and guidance on how to best secure our organisations; NIST 800 series and CSF, ISO 27k series, CIS, and more ANZ-centric standards like the Australian Signals Directive’s Essential 8 and New Zealand’s CERT Top 10, to name a few. We read about the shortage of InfoSec professionals across the world, and according to the ISC2 Cybersecurity Workforce Study from 2022, 3.4 million cyber professionals are needed across the world to plug the current gap.

Many of the breaches we read about are with organisations large enough that you would have to assume they have security teams or can fund outsourcing, but why are so many of the most basic security controls not being implemented? Are these executive management problems caused by a lack of commitment and investment? Are technical controls either not being implemented or are they inadequate? Is it more basic stuff like having robust processes and procedures or better monitoring and reporting? Is it that we are lacking a good standard of InfoSec professionals? Is it underinvestment or a lack of people? Are industry standards too complex to understand or implement effectively? Is the risk-based approach still a viable one to prioritise what requires investment and improvements and what does not? Or is it simply too much of the ‘it will not happen to me’ syndrome?

I often reflect on whether there was the same level of debate around the creation of large and diverse HR teams back in the day when they were not a ‘thing’, as there is today around investing in security teams in house or outsourcing. I doubt there are many organisations today that do not have some form of HR capability, and for most large organisations this is now simply a cost and a requirement of doing business in the modern world. Security needs to be the same. The idea that you can assess an organisation’s risk posture to discern if having MFA or undertaking patching is a solid investment or not, whether it will generate an ROI, or whether it will negate a specific, heretofore unidentified business risk is nonsense in my view. This and many other security capabilities simply need to be seen as a cost of doing business in a connected world. Given how many breaches we see that can be at least partially attributed to a lack of MFA alone, it is mind-boggling. And this is just picking out one of the more fundamental security controls that should be in place.

I Doubt There Are Many Organisations Today That Do Not Have Some Form Of Hr Capability, And For Most Large Organisations This Is Now Simply A Cost And A Requirement Of Doing Business In The Modern World

Is this the responsibility of individual organisations, the security community and our collective expertise, our executive management teams and boards, the government, and associated regulations and regulatory authorities? What is not working, and why are the bad guys making vast sums of money while more and more organisations are getting their brands in the headlines? Figures vary from source to source, but the cost of cybercrime globally ranges from an estimated $6 trillion (USD) in 2021, $7 trillion to $8 trillion in 2022, and up to a predicted $10.5 trillion by 2025. These are eyewatering figures when you consider the combined value of Facebook, Amazon, Apple, Netflix, and Microsoft is circa $4.8 trillion USD, and in 2021, Canada’s GDP was $1.98 trillion.