Why Complacency Is Killing Cyber Security Strategy


Today, there is a hyper awareness surrounding cyber security. A mad rush has ensued to make sure our businesses are protected. But we still hear of breaches and their effects on cyber safety. It seems to be an endless cycle that only gets worse.

The reason things continue to get worse is unrelated to technology; in fact, it is directly related to complacency. There are four simple reasons why complacency is strangling our cyber initiatives.

We're Unaware

I bet you're thinking "this does not apply to us." Three years ago I would have made the same statement. Then I would have enumerated how we were preventing "the bad guys" from accessing our networks and stealing our information. If given the opportunity, I would've detailed the man hours my team spent implementing reactive measures. In hindsight though I am comfortable saying we were complacent.

Complacency is simply a lack of awareness. Implementing detective measures limits our perception significantly. Traditionally, information security best practices dictated a combination of continuous diagnostics monitoring (CDM) as well as certification and accreditation. These measures are passive approaches and severely curtail our ability to defend our networks.

To develop our situational awareness, we must begin actively looking for intruders. We must change our policies, processes, and technology to support an active "hunt" effort. Knowing your enemy is a great slogan but what will you do with that information.

We're Under Invested

Defending our organizations (our livelihoods) is an investment in the future success of our organizations. We can no longer view security as a cost center. Integrating cyber strategies into our core organizational processes is key to our success.

We need to move away from functionally centered teams because they create stove pipes. Collaboration across all functional areas is a requirement to devising a sound strategy. All of this requires the allocation of additional resources.

Rest assured that attackers (whether the nation-state or organized cyber criminals) are doing their homework. They are investing the time, money, and talent to attack (successfully) their targets. After all attacking YOUR organization is paramount to their organizational success.

We're Overwhelmed

Not too long ago, I sat down for lunch with a friend who leads a large organization. He explained that his group was attacked approximately 500 times a day. Currently, he has no dedicated security staff and cannot afford to hire trained information security personnel. His only alternative (he explained) is to leverage existing information technology staff.

Without a significant change, attacker ability will quickly exceed their capacity to respond effectively.

We're Missing Pieces

The strong cyber strategy builds upon people, processes, and technology. Technology without people degrades our ability to make real-time decisions based upon nuances derived from emotion. People without technology overwhelm our human resources. Similarly, processes without technology are a dead end street. After all, without people and technology how do we develop or implement those methods.

The landscape has changed. Today organizations operate on a battlefield that transcends time, location, and physicality. For many Americans assimilating this mindset represents a significant challenge. Daily attacks on our life and livelihood are relatively foreign concepts for most America.

If you want to take the first step, start improving your awareness. Start asking yourself today "Am I breached?"