Cybersecurity: why is it so hard to get anything right?

When it comes to cybersecurity, why does it feel like everything is on fire all the time?

question man

If you’ve been reading any news lately you know there are more security bugs and breaches than anyone can keep track of. From Equifax to Microsoft to Kaspersky and beyond...if I was an observer from the outside I would wonder what on earth is going on with cybersecurity. Why can’t anyone ever seem to get anything right?

That’s not exactly the right question, but at the same time it is a valid question to ask. Why does it seem like in the context of security nothing ever goes right? It feels like everything is on fire all the time. Everywhere anyone looks all they see is failure. Where are the stories of security going right? Is there even one story about security going right?

I’m going to use the latest bug in Microsoft’s DNS library to help explain what’s going on here. This bug has been titled “A Bug Has No Name” as a cheeky reference to Game of Thrones. A less exciting name would be CVE-2017-11779. This bug is rated “critical” which is as bad as it gets for a Microsoft patch.

Now Microsoft literally wrote the book on security development. There’s nobody that can do it better, yet they still have plenty of problems. All we ever seem to hear about is the security fixes that keep coming every month. Where are the stories about all the things they do right?

It might sound counter-intuitive, but we don't actually want to see a narrative about things going right. In a mostly working system, a story emerges when something breaks. In a completely broken system, the story is when something goes right. This means we’re not completely broken.

If we think about the state of the world today, everything still basically works. There are constant stories about how broken and terrible everything is, but at the end of the day nothing drastic ever changes because things are working well enough. A discussion about if things should change can happen at a future date.

Microsoft has written and will continue to write a huge amount of code. Nobody comments on how many bugs they fix per day. No doubt that number is huge, and it just isn’t an interesting story compared to a critical bug that was fixed in the DNS library. The work happening in all software, every day, is keeping the world running.

So maybe everything isn’t as terrible as it appears?

The answer to why it’s so hard to get anything right isn’t really about everything going wrong. It’s a story about all the things that go right. Most organizations get more right than they get wrong. This seems hard to believe if you only pay attention to the news of the day.

Microsoft does have some of the best security development on the planet. But they’re never going to get everything right all the time. The reality is they get things mostly right, most of the time. And when they do find a mistake, they deal with it quickly.

I don’t have any amazing ideas about how to fix our current problem. The point of this article isn’t to fix any problems. It’s really just to understand what we see today. Everything isn’t actually on fire, but the things that are on fire are burning very very bright.

We aren’t going to see anything drastic change unless things get a lot worse. And I mean A LOT worse. Historically we’ve not fixed problems before they are quite literally hurting people and lighting rivers on fire. We’re not even close to that with software. Yet.

It’s quite possible this is just the way things will be. We should hope not, but unless something happens that is the catalyst we aren’t going to see any serious change. Real change happens when people want to change. We’re not there today. Nobody really wants to change because things are basically working well enough.

So back to the question “why is it so hard to get anything right?”. That’s not the right question. The question we need to start asking is “is it time for change?” At the time of writing this article, the answer is “no.”

Copyright © 2017 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022