Blind spots: How cyber defense is like stopping Tim Tebow
CSO - Cyber defense faces a growing disconnect between perception and reality.
There are two main camps in the information security world today, and their arguments can be compared to the recent football debate as to whether Tim Tebow (photo below courtesy of Jeffrey Beall/Wikimedia Commons) can be successful as an NFL quarterback in the long term.
In one camp, we have salespeople, marketers, various security entrepreneurs and "experts" telling executive decision-makers that cybersecurity is straightforward, if you just do it their way. This is strikingly similar to sports pundits who insist that a quarterback with limited passing skills (i.e. Tebow) simply can't cut it against today's sophisticated NFL defenses.
In the other camp, we have self-described pragmatists who in practice often trudge cyber around like Eeyore the donkey, proclaiming that hackers with zero-day exploits not only can get into your systems, but in fact are already there, and will never leave. This group corresponds to Tebow's most ardent supporters. They've made their decision regarding Tebow, and their "he just wins and has a great attitude so ignore the rest" argument seems to trump other measures of success.
[Also see Lohrmann's presentation 7 reasons security pros fail]
I would argue that both camps, in cyber defense as in football, have blind spot--holes in their perception that limit their effectiveness.
Let's look at the Tebow argument a bit more and see what it can teach us about our cyber defense mission.
Team 1: "Cyber Defense is as Easy as Stopping Tim Tebow"
Overheard: "We offer better protection, more peace of mind, and a complete security solution for less money with our new managed 'xyz' product/service." This boilerplate marketing claim makes cyber defense appear as easy as buying a car. All you need to do is hand over the virtual keys to your new trusted security partner!
The more sophisticated members of Team 1 will readily acknowledge past mistakes and security industry product and service failures. In fact, mocking recent tactics by other companies and discussing new global threats facing the cyber defense business is an important part of their intriguing sales pitch.
Nevertheless, they insist that their new offering is somehow different. The pitch goes something like, "We know why that 'their' last product failed to live up to expectations, but we've incorporated a new rigor, new secret sauce, a new approach into our patented solution that are competitors are missing. We've gone back to the basics to uncover the reasons why everyone else lacks what we have."
This group tends to be overconfident with bold victory predictions. "This is really very easy. There is no way that our product or service will fail. We've now figured cybersecurity out."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts