Why “Complete” Cybersecurity Is An Oxymoron
Discussion on how organizations can never truly reach a “total” cybersecurity state & why Cybersecurity is an oxymoron.
Given the complexity and dynamism of digital environments, more companies are discovering that cybersecurity realistically can’t deliver on the goal of absolute security. Security experts affirm that achieving robust risk management and resilience is an attainable goal.
Why Complete Cybersecurity Is A Contradiction In Terms
Cybersecurity measures often depend on the cooperation and participation of users. However, not everyone may have the knowledge, motivation or incentive to follow best practices or comply with regulations. Some users may intentionally or unintentionally compromise the security of their systems or data. The human factor is the most significant uncertainty and variable that can impact an organization's security posture.
Cybersecurity products and services may have hidden vulnerabilities, flaws or backdoors that can be exploited by malicious actors or compromise user privacy. Indeed, they may not be as secure as vendors claim or introduce new risks or trade-offs. Cybersecurity solutions, such as usability, performance or privacy, may also conflict with goals or values.
Cyber threats constantly evolve and adapt to changing technologies, policies and behaviors, making it hard to anticipate, detect and respond to every threat effectively. Attackers use novel techniques, tools or vectors to bypass security defenses or target new or emerging systems or applications that have not been adequately secured or tested.
Strengthening Cyber Resilience
Cyber resilience is an organization's ability to continue operating with minimal disruption in the face of cyberattacks. It involves a deep and broad approach that covers people, products and processes. Here are some key considerations for optimizing cyber resilience:
People
The human factor is often the weakest link in cybersecurity. Therefore, training and educating users on cyber risks, best practices and incident response procedures is necessary. Additionally, it is essential to have a dedicated team of cybersecurity experts who can automate, monitor, detect and respond to cyber threats.
Products
Cybersecurity products include software, hardware and services that prevent, detect, block and mitigate cyber threats. Some examples are penetration testing, endpoint security, firewall, encryption, identity access management, zero-trust networking and data backup. To boost cyber resilience, highly integrated multi-layered technology can help make it much more difficult for someone to gain access by ensuring multiple layers of security.
Processes
Security processes are the policies, standards and procedures governing an organization's cyber risks. These include risk assessment, governance, compliance, incident response and business continuity. These processes should be aligned with the organization’s objectives, risk threshold and regulatory requirements.
Threat Surfaces
Reducing threat surfaces minimizes the exposure and vulnerability of an organization’s digital assets. Organizations can reduce risk and improve resilience by eliminating unnecessary or outdated software, hardware, ports, services, and code to reduce the number of entry points and weaknesses attackers can exploit. Having fewer and more secure components in an organization’s digital ecosystem makes monitoring, managing, and enforcing security policies and standards easier.
Cyber Threat Vigilance: A Never-Ending Process
Cyber resilience requires a strategic and proactive approach integrating security, monitoring and recovery capabilities. It also requires continuous improvement and learning from cyber incidents. By implementing cyber resilience measures, an organization can minimize the impact of unexpected security incidents, reduce the effect of cyberattacks and enhance its business performance.
Zero-day exploits are an example of a critical threat that requires increased vigilance. Threats that exploit unknown vulnerabilities are becoming more frequent and sophisticated as malicious nation-state actors and cybercriminal gangs use their sizeable resources and skills to launch attacks.
Zero-day threats frequently target computer memory, allowing attackers to access sensitive data, corrupt systems or execute arbitrary code. Organizations can use memory-safe programming languages (such as Rust, Java or Python) to prevent or mitigate these attacks. These programming languages detect common memory errors such as buffer overflows.
Measures To Boost Security Risk Management
Security risk management is a strategic and continuous process that aims to identify, assess and control security through:
•Assessing potential threats
•Identifying critical assets
•Evaluating potential risk impact on those assets
•Developing mitigation strategies to minimize risk
•Continuously monitoring and reporting on the strategy's effectiveness
An essential component of security risk management is using complete and up-to-date information on common vulnerabilities and exposures (CVEs). These standardize how vulnerabilities are identified and described to help organizations assess their exposure and prioritize remediation efforts. The National Cybersecurity Federally Funded Research and Development Center manages the CVE database, and the MITRE Corporation operates the CVE, which is funded by the U.S. Department of Homeland Security.
However, having internal CVE information is not enough. It is also necessary to have policies and procedures that require software vendors and device manufacturers to include CVE record information and publish root cause or common weakness enumerations that may apply to their products. This helps IT understand the nature and severity of vulnerabilities and apply appropriate patches or workarounds. It helps security analysts identify vulnerability patterns and trends to develop proactive solutions and defenses.
By using memory-safe programming languages and complete CVE information and by enforcing policies that require third-party vendors and manufacturers to disclose vulnerabilities and their causes, organizations can improve their resilience against zero-day threats and other attacks.
A Holistic Approach To Safeguarding Organizational Assets
Trying to achieve complete cybersecurity cannot address the gaps between the ideal and the actual security climate of an organization’s digital domain. I believe it is better to focus on the discipline of cyber resilience, which emphasizes the ability to withstand, recover and learn from cyberattacks. Cybersecurity as a binary outcome is currently an unrealistic notion. A risk-based approach that weighs the costs and benefits of different security measures offers a more realistic approach.
IT and security teams should concentrate on the people, processes and technology within a security risk management framework to deploy the most effective and efficient security controls for identifying, assessing, mitigating and monitoring cyber risks. Organizations can more effectively prevent, detect, block and respond to cyber threats and ensure business continuity through this holistic approach to cybersecurity resilience.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
