Reports about data leakages – even huge data leakages – are not headline news anymore because they happen so often.
I am a positivist and don’t like to focus on security incidents, but the number of incidents, especially the repetition of these security incidents, make me doubt that organizations truly understand cybersecurity. It appears to me that organizations focus on the wrong things within the cybersecurity domain. What do I mean by this?
Most organizations see cybersecurity as an approach to securing their IT environment by using several “best-of-breed” security point products, mostly working in silos and only covering one element of the large cybersecurity spectrum. They think in terms of “security instruments” instead of a holistic security strategy.
A cybersecurity strategy is there to mitigate risks so that the business can do its business. That’s the core function of cybersecurity. It’s my observation that most organizations don’t start with this core function as the foundation but focus on the tools that are often presented to them by point product security vendors.
If you build a house, you need to focus first on the foundation and not the solar panels on the roof. This analogy demonstrates my point that organizations don’t have the required approach. Most organizations start their security work by selecting the solar panels first and sometimes never think about the foundation, resulting in a continuous waste of spending on point products and following a security tools replacement strategy. This best-of-breed replacement strategy is normally executed via lengthy RFP processes based on the limited budget available for security. Because the world has become more digitalized and organizations are more complex, this approach doesn’t work.
Another important element is the fact that the adversaries (‘the bad guys’) are also more automated than they were ever before and work together in a seamless way, which makes the threat significantly more challenging than some years ago.
It’s simply impossible to secure an organization with siloed point products that don’t work together. Even if the point product claims to use the latest artificial intelligence, aka AI, for their endpoint protection or network security, it still only covers one part of the organization. Sophisticated adversaries know exactly how to enter an organization between the siloed point products.
So, does this mean that we need to accept this and consider cybersecurity an impossible mission? Certainly not!
Effective cybersecurity is possible, but it requires a different approach. This approach should always start with a risk assessment, based on a Zero Trust strategy. Cybersecurity must be handled holistically, instead of a continuous replacement of best-of-breed point products. A new house needs a foundation first before the solar panels can be installed on the roof.
To conclude this short article in a positive way, I have observed an increase in the number of organizations that embrace this “Risk-Based Zero Trust Approach”. Although these organizations are still the minority, the trend is positive. How this Zero Trust approach works—and what you can do as a cybersecurity professional to help your organization in this area—I’ll describe in Part 2 of this blog series.