Fundamentals are critical to the foundation of an information security program (or strategy). Deficiencies in information security fundamentals are analogous to cracks in a fortress foundation. Fortress defenses won’t stand and neither will your information security protection.
The Information Security ABCs are drawn from information security fundamentals. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.
TRUTH: If more people and organizations applied the fundamentals, we’d eliminate a vast majority of breaches (and other bad things).
Here’s our progress thus far:
- “A” is for accountability
- “B” is for business
- “C” is for cybersecurity
- “D” is for data
- “E” is for everyone
- “F” is for fundamentals
- “G” is for governance
- “H” is for holistic
- “I” is for if
- “J” is for jaded
- “K” is for key
- “L” is for layers
It’s been too long, but the time has come for the letter “M”.
The magnate’s magnitude of money–motivated myriad manipulation makes mayhem and mess of society’s macrocosm, masqueraded with mentor-less and maladroit management who’s malfunctioning mandates manifest in the malefactor’s monopoly.
The letter “M” is for “money”. It shouldn’t be, but it is.
Last year (2020) we spent an estimated $123,000,000,000 (that’s $123 billion) on “cybersecurity” worldwide. That’s a helluva sum of money, and it begs to question:
- What did we get for all this money?
- Was (all/some/any of) this money well spent?
- Is this too much money, not enough money, or about right?
At a macro level, these questions are nearly impossible to answer objectively. There isn’t uniformity in how we apply or measure information security effectiveness (although we’re working hard to change that) and we don’t have quality data. When we consider estimated losses (to “cybercrime”), maybe we get an indication of how we’ll we’re doing.
According to estimates/predictions from Cybersecurity Ventures, cybercrime will cost us $6,000,000,000,000 (that’s $6 trillion) this year (2021), up from $3 trillion in 2015. The trend doesn’t appear to reverse anytime soon, with 2025’s losses expected to approach $10.5 trillion.
Are we doing this right? Our cybersecurity investments are growing, but our losses are growing faster.
Who’s getting paid?
Simple. The $123 billion goes into our pockets. The $6 trillion goes into the criminals’ pockets.
There are many, many good people making a good living in our industry. They’re “good” people because they do their work for the right reasons, to protect others, and to protect information that’s been entrusted to them.
We all get paid in this industry. I get paid, you get paid, our co-workers get paid, our bosses get paid, the companies we work for get paid, etc., etc. Some of us get paid a lot, some of us get paid less. There’s nothing wrong with getting paid. We have bills and people to support (whether it’s just us, our family, etc.).
According to CyberSeek, there are 956,341 people employed in the U.S. “cybersecurity workforce” and nearly a half million job openings. The supply of talent is “very low” and the demand is high. If you believe the numbers, our job prospects should be good for a long time. According to ZipRecruiter, “the Average Cyber Security Salary” is $112,974 per year, ranging from $125,664 in New York to $82,936 in North Carolina.
Again, if we agree with these numbers, the average worker in our industry makes good money. We make twice as much as the average U.S. worker. This is good!
The criminals are expected to steal nearly $6 trillion worldwide in 2021. This is a HUGE number, so let’s try to put this into perspective.
- The worldwide economy (GDP – nominal) is roughly $94 trillion, so cybercrime is costing about 6.38% of the world’s economy.
- The global pharmaceutical market is roughly $1.27 trillion. Cybercrime has this number beat by a factor of four.
- Some estimates put the global drug trade at roughly $450 billion. Not even in the same league as cybercrime.
- Only the United States ($22 T), European Union ($19.2 T), China ($16.6 T), and Japan ($6.2 T) have economies larger than the cybercrime economy.
Cybercrime is expected to grow by as much as 15% annually. There are (at least) three primary reasons why global cybercrime has gotten (and continues to get) out of hand:
- Lack of accountability. The lack of accountability when it comes to information security is astounding.
- There’s very little (if any) accountability for the criminals.
- There’s no accountability for software companies writing crappy code (as long as we keep buying it, they’ll keep selling it).
- There’s very little accountability for the CEO who ignores his/her responsibility to protect their company’s assets and customers’ data. Compliance is a joke because we stop once the box is checked. As long as nobody really pays the price, there isn’t much motivation to change. Instead of individuals paying the price, the costs are spread across a wide population through higher fees, higher prices, etc.
- We like our ignorance. Nobody will admit it, but we must not really care. We have the illusion of care, but we don’t really care. If we did, we would nail the basics. We don’t like the basics because the basics are work. The criminals like that we don’t like the basics because they have less work too. We do less work, they do less work. Maybe that’s the twisted win-win here.
- We adopt technology much faster that our ability to secure it. We live in an easy button, instant gratification, entitlement world where we lust for new features, blinking lights, and hot gadgets. Every day, we add more and more complexity to our lives, pushing good information security further and further out of reach. Complexity is the worst enemy of security.
The cost of cybercrime seems like a cost we’re willing to accept and it’s definitely a cost we’re going to pay. This doesn’t magically go away, and the endgame is actually pretty scary to think about.
There are the wolves (the criminals) and there are the wolves in sheep’s clothing (those in our industry who take advantage of others in our industry). There’s a population within our industry who doesn’t give two sh*ts about protecting the innocent, but instead prey on their fear and ignorance. These are the vendors and marketers who will keep selling you crap you don’t need, can’t use, or doesn’t work. Some of these players are very big, and I won’t name names, but you know who they are.
The illogical acceptance of vendor BS:
Vendor: “Buy my thing, you need it.”
Ignorant Victim: “OK, if you say so. It looks cool.”
Ignorant Victim: “Hey, I think your thing is making me vulnerable.”
Vendor: “Well you have to patch my thing.”
Ignorant Victim: “But it’s your thing, why do I have to patch it?”
Vendor: “Because when you bought it, the liability became your thing.”
Ignorant Victim: “OK. How often do I need to patch your thing.”
Vendor: “We don’t know, maybe monthly.”
Ignorant Victim: “Hey, I don’t think your thing works.”
Vendor: “Oh, that’s because you didn’t configure it right.”
Ignorant Victim: “How do I configure it right?”
Vendor: “You can try reading the manual or you can attend our training. Attending our training is recommended, and it’s only $5,000.”
Ignorant Victim: “OK, so I should pay $5,000 to learn how to use your thing that I paid you for?”
Vendor: “Yep, that’s how it works.”
Ignorant Victim: “Hey, a criminal hacked your thing and stole a ton of stuff from us.”
Vendor: “That sucks. Oooh. Looks like you didn’t have our other thing that would protect the first thing from criminals.”
Ignorant Victim: “So I need to buy another thing from you to protect your first thing that was supposed to protect me?”
Vendor: “Yep. Times change and we gotta keep up.”
Ignorant Victim: “Hey, me again. Looks like somebody compromised the first thing again, even though we had the second thing.”
Vendor: “Yeah, that’s because we don’t support the first thing anymore. You should have gotten the nextgen first thing.”
Ignorant Victim: “But it seems like the first thing should have done the things that the nextgen thing does now.”
Vendor: “Well, not really. The nextgen thing uses this new proprietary technology that nobody knows about or can explain.”
Ignorant Victim: “I don’t think the nextgen thing is serving our needs anymore. It’s really hard to use and I can’t afford the manpower to run it.”
Vendor: “Lucky you! We’ve got a new cloud nextgen managed service thing! You’ll love it.”
Ignorant Victim: “Cool! Do I still need the nextgen first thing and the second thing?”
Vendor: “We can get rid of the the nextgen first thing because we moved that to the cloud, but you should keep the second thing. One more thing, we need to add a third thing so we can talk to the cloud through it.”
Vendor: “So how you liking this cloud thing? We just released the hypergen version, and I’d like to show it to you. Oh, and by the way you’re still patching the first thing and third thing, right?”
Ignorant Victim: “Patching? Um, yeah, we’re doing that. Tell me more about this hypergen thing.”
Vendor: “Oh crap! Our nextgen cloud thing got it. You suffered because you weren’t in our hypergen thing yet. We’ve added a new feature to the hypergen thing that you’ll need too. It’s super cool, it’s a feature that can think for itself! We call it “artificial intelligence”. It’s finally the easy button we’ve all been looking for!
…and the insanity never ends.
Some marketers and vendors in our industry are top notch, but there are far too many who will sell you anything to get your money. They don’t care if it’s the thing you should buy or if it’s a thing you can even use. Just buy it.
Somehow, someday, we need to hold information security product and service vendors accountable for:
- Making sure their products and/or services do what they say they do. False advertising needs to go.
- Making sure they don’t sell things that aren’t the right fit. Stop selling customers (or victims) things they can’t use, aren’t ready to use, or shouldn’t use.
- Making sure they’re held liable for damages caused in full or in part because of their faulty products and/or services.
The truth is, any organization who doesn’t understand and practice information security fundamentals is the PERFECT victim for the criminal AND the wolf in sheep’s clothing. What are the fundamentals? Good you asked.
Information Security Fundamentals
I won’t spend a ton of time on this because we could write a book on this. Wait a second. I did, and so have others.
- Roles and responsibilities. Who’s responsible for what and what’s expected of them? Once defined, motivate and hold people accountable.
- Asset management. You can’t possibly protect the things you don’t know you have. If asset management seems too complex, it’s probably because your environment is too complex, and something’s out of whack. Assets come in three flavors; hardware, software, and data. You could add “people” as an asset too, but you know, people are hard.
- Control. Only now can you determine what controls are adequate. You can’t secure what you can’t control, and there’s lots to do here. Configuration control, access control, change control, etc.
- Wrap all this is risk management. Information security IS risk management.
Don’t know what risk management is, or not certain? Make it simple:
- Assess, Decide, Implement/Do, Assess, Decide, Implement/Do, etc.
- Risk Assessment – good assessments are objective, measurable, comprehensive, and actionable.
- Decide – only four choices here: accept the risk, mitigate the risk, transfer the risk, or avoid the risk.
- Implement/Do – do the work it takes to make the decision a reality.
- Risk is likelihood something bad will happen and the impact if it did. Likelihood and impact are driven by threats and vulnerabilities. (note: you won’t know your vulnerabilities without asset management).
- If we’re talking “information security”, we’re talking about operational/administrative controls, physical controls, and technical controls. This is NOT an IT issue.
M is for money. Lots of money.
Some people say this is a dog eat dog world. I like dogs. They’re wonderful creatures. Often the difference between what makes a good dog and a bad dog is how they were raised. I believe all dogs were good at the start, but some got stuck with sh!tty owners.
The good dog – The good dog serves others. They’re loyal, selfless, dependable, loving, etc. Most people in our industry are “good dogs”, myself included. We’re in this for the right reasons, and we make money as a reward for the good honest work we do.
The bad dog – The bad dogs serve themselves. They steal, fight, hurt others, etc. The criminals are “bad dogs”, but sadly so are some people in our industry. They make money by taking advantage of others. Most bad dogs know they’re bad, but some lack the self-awareness to know any better.
Be a good dog. Make lots of honest money AND make a positive difference in the lives of the people we serve!