I would expect that practically every infosec professional has been asked at one time or another “Are we secure?” by non-technical senior executives. Technical executives know better than to ask the question.
But what is an appropriate answer? If you say “Yes” you have assumed all responsibility and let senior business management off the hook if there is a breach. If you say “No,” it begs the question “Then why am I spending all this money on security?” And if you prepare your “elevator speech” in an attempt to explain the actual situation in words of more than one syllable, you can see eyes glazing over.
This reminds me of the old joke where one asks the innocent question “How’s your spouse?” only to get the response “Compared to whom?” Joking apart, this answer is quite appropriate in response to “Are we secure?” A common criterion for an acceptable level of security is to meet or beat that level attained by peers, namely, those in the same industry or sector or about the same size with similar assets needing protection, regardless of what that standard might be. This, of course, has led to certain major industries being hit time and time again because the lowest common denominator of cybersecurity is far below essential practices. But this still does not address the dynamics of the situation.
In his must-read article “Are We Any Safer?” in the September 2016 issue of The Atlantic magazine, Steven Brill does an exceptional job in describing safety measures taken by the U.S. government since 9/11, indicating where there have been successes and where they have failed. It’s a very disturbing piece. I was particularly taken by the sentence describing the current situation: “Our defenses are far stronger [than on 9/11], but what we have to defend against has outpaced our progress.”
This is so true of cybersecurity also. My fellow editors, Jennifer Bayuk and Dan Schutzer, and I attempted to take on this issue in our 2009 book “Enterprise Information Security and Privacy” (Artech House). We quoted Marshall McLuhan several times, including the following definitive statement: “Our Age of Anxiety is, in great part, the result of trying to do today’s job with yesterday’s tools and yesterday’s concepts.”
Brill’s article recounts many instances where technologies take too long to develop and deploy and how too many of those technologies are found simply not to work as required after the government having spent billions of dollars on them. Brill also describes how priorities keep getting shuffled around leading to important work being delayed interminably or back-burnered altogether.
Brill does talk to “cyberterror,” but only minimally (one out of 25 pages). This is far less than the subject warrants or deserves. He presents a relatively sanguine overview of national cybersecurity with a quote from Linda Monaco, the White House homeland security and counterterrorism advisor, who says: “With cyber, we’re not there yet, but we’re getting there.” The question is “Where is there?” By the time we get “there,” the threats and attacks will have advanced so that “there” will likely no longer be nearly good enough. Brill also talked to Phyllis Schneck, head of DHS’s cybersecurity and communications unit, who “seems to have put the agency on a better track” by “professionalizing” the National Cybersecurity and Communications Integration Center (NCICC). The initiatives described for identifying and responding to attacks and for sharing information are all good. It is a shame that it has taken so long for the government to get its act together. It remains questionable, however, that even these heroic efforts will stem the tide.
In 1999, led by Stash Jarocki, a group of infosec professionals, including me, from the Banking and Finance Sector, launched the FS-ISAC (Financial Services Information Sharing and Analysis Center), the first and arguably the most effective such entity for sharing cybersecurity information within the industry and between it and government. Others have followed, but the “bad guys” still outpace the defenders’ ability to communicate useful information quickly and directly.
So the answer to the question “Are we secure?” is clearly “No” or, if you want lend a more optimistic note to your response, “Not yet.” We still have a long way to go before we even can catch up with some future state of defense which will not be adequate until the defenders have surpassed the attackers in the art. But, in order to achieve that, we need to go well beyond the laudable DHS and private sector efforts that are now in place. If you are behind in a race, you obviously have to run faster than the front runners in order to win. We must accelerate the pace of developing defenses in order to do get out in front. Otherwise we will continue to have to clean up the debris after catastrophic cyber events happen. The question should not be “Are we secure (or safe) yet?” but “What do we need to do to be secure (or safe) enough?” Now you’re talking!