Blind spots: How cyber defense is like stopping Tim Tebow

CSO - Cyber defense faces a growing disconnect between perception and reality.

There are two main camps in the information security world today, and their arguments can be compared to the recent football debate as to whether Tim Tebow (photo below courtesy of Jeffrey Beall/Wikimedia Commons) can be successful as an NFL quarterback in the long term.

In one camp, we have salespeople, marketers, various security entrepreneurs and "experts" telling executive decision-makers that cybersecurity is straightforward, if you just do it their way. This is strikingly similar to sports pundits who insist that a quarterback with limited passing skills (i.e. Tebow) simply can't cut it against today's sophisticated NFL defenses.

In the other camp, we have self-described pragmatists who in practice often trudge cyber around like Eeyore the donkey, proclaiming that hackers with zero-day exploits not only can get into your systems, but in fact are already there, and will never leave. This group corresponds to Tebow's most ardent supporters. They've made their decision regarding Tebow, and their "he just wins and has a great attitude so ignore the rest" argument seems to trump other measures of success.

[Also see Lohrmann's presentation 7 reasons security pros fail]

I would argue that both camps, in cyber defense as in football, have blind spot--holes in their perception that limit their effectiveness.

Let's look at the Tebow argument a bit more and see what it can teach us about our cyber defense mission.

Team 1: "Cyber Defense is as Easy as Stopping Tim Tebow"

Overheard: "We offer better protection, more peace of mind, and a complete security solution for less money with our new managed 'xyz' product/service." This boilerplate marketing claim makes cyber defense appear as easy as buying a car. All you need to do is hand over the virtual keys to your new trusted security partner!

The more sophisticated members of Team 1 will readily acknowledge past mistakes and security industry product and service failures. In fact, mocking recent tactics by other companies and discussing new global threats facing the cyber defense business is an important part of their intriguing sales pitch.

Nevertheless, they insist that their new offering is somehow different. The pitch goes something like, "We know why that 'their' last product failed to live up to expectations, but we've incorporated a new rigor, new secret sauce, a new approach into our patented solution that are competitors are missing. We've gone back to the basics to uncover the reasons why everyone else lacks what we have."

This group tends to be overconfident with bold victory predictions. "This is really very easy. There is no way that our product or service will fail. We've now figured cybersecurity out."