Blind spots: How cyber defense is like stopping Tim Tebow
CSO - Cyber defense faces a growing disconnect between perception and reality.
There are two main camps in the information security world today, and their arguments can be compared to the recent football debate as to whether Tim Tebow (photo below courtesy of Jeffrey Beall/Wikimedia Commons) can be successful as an NFL quarterback in the long term.
In one camp, we have salespeople, marketers, various security entrepreneurs and "experts" telling executive decision-makers that cybersecurity is straightforward, if you just do it their way. This is strikingly similar to sports pundits who insist that a quarterback with limited passing skills (i.e. Tebow) simply can't cut it against today's sophisticated NFL defenses.
In the other camp, we have self-described pragmatists who in practice often trudge cyber around like Eeyore the donkey, proclaiming that hackers with zero-day exploits not only can get into your systems, but in fact are already there, and will never leave. This group corresponds to Tebow's most ardent supporters. They've made their decision regarding Tebow, and their "he just wins and has a great attitude so ignore the rest" argument seems to trump other measures of success.
[Also see Lohrmann's presentation 7 reasons security pros fail]
I would argue that both camps, in cyber defense as in football, have blind spot--holes in their perception that limit their effectiveness.
Let's look at the Tebow argument a bit more and see what it can teach us about our cyber defense mission.
Team 1: "Cyber Defense is as Easy as Stopping Tim Tebow"
Overheard: "We offer better protection, more peace of mind, and a complete security solution for less money with our new managed 'xyz' product/service." This boilerplate marketing claim makes cyber defense appear as easy as buying a car. All you need to do is hand over the virtual keys to your new trusted security partner!
The more sophisticated members of Team 1 will readily acknowledge past mistakes and security industry product and service failures. In fact, mocking recent tactics by other companies and discussing new global threats facing the cyber defense business is an important part of their intriguing sales pitch.
Nevertheless, they insist that their new offering is somehow different. The pitch goes something like, "We know why that 'their' last product failed to live up to expectations, but we've incorporated a new rigor, new secret sauce, a new approach into our patented solution that are competitors are missing. We've gone back to the basics to uncover the reasons why everyone else lacks what we have."
This group tends to be overconfident with bold victory predictions. "This is really very easy. There is no way that our product or service will fail. We've now figured cybersecurity out."
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!