The first step in fixing a problem is admitting you have one. The computer security industry has long been broken and needs some serious fixes. The world spends many billions of dollars fighting cybersecurity threats, more and more each year, and threats, risks and exploits are just getting worse. We have even accepted that computer security is so bad that we must adopt an “assume breach” mentality.
I’m here to say that an assume-breach mentality is for losers. I and others think that we all need to be better about “defeating breach” or minimizing breaches. No one is saying that any of us can ever defeat 100 percent of all hacker or malware tries, especially without making the defenses so onerous that no one wants to use them. We are saying that what the herd is doing is not working. We’re not just complaining. We have specific, actionable, recommended fixes.
I wrote about the problems and solutions defenses in my latest book, A Data-Driven Computer Security Defense, which was recently nominated for the 2019 Canon Cybersecurity Book Hall of Fame. The core problem is that most computer security defenders are not right-aligning their defenses against the biggest threats they face, which is exacerbated because defenders don’t focus enough on the root cause of successful exploits.
This means most organizations are not spending enough time and resources to fight social engineering exploits and on better patching for the most commonly exploited software. If more organizations did those two things, there would be a lot less successful hacking. I’m going to spend the remainder of my career focusing on these two issues, because everything else most organizations worry about doesn’t equate to 10 percent of the risk.
Here are two other books that offer fixes.
Evan Francen’s Unsecurity
I recently ran into a kindred spirit, Evan Francen, CEO and founder of FRSecure. I don’t think I’ve met a more successful guy in this industry with less bullshit. Like me, his core mission in life is to fix a broken computer industry, except he’s doing it as an entrepreneur. He founded his computer security company with that mission. I’ve met and talked with him for months. It’s one of his most closely held core beliefs.
A lot of what FRSecure does is security audits —not the BS-filled security audits that are nothing but compliance checkboxes. His company really does care about making a client’s security much better by looking at the problem with a holistic approach. He even wrote about his problems with the overall industry and how to fix it with his recently released book, Unsecurity: Information Security is Failing. Breaches are Epidemic. How Can We Fix This Broken Industry?.
In his book, Evan wasn’t afraid to name names and rant on about all the broken parts. It’s a great book and I think any C-Level IT security worker will be frequently nodding in agreement with his assertions and suggested fixes. I appreciate Evan’s perspective because he has dealt with thousands of companies and even works as a virtual CSO for many. He’s seeing the problem from the inside and from the perspective of someone who has to deal with business operations and still getting the security job done.
Evan frequently challenges business leaders to figure what computer security means to them and why they want it. He takes them back to the basics to create a stronger, agreed-upon foundation on which everything else can be built. He is a firm believer that spending more time up front defining why you’re doing something and what that something is will lead to a better overall product.
He has also dedicated his life’s vision to creating a common core way of assessing computer security readiness and being able to quickly communicate that across companies. He sees the myriad current Tower of Babel frameworks and assessment strategies as a core problem to our insecurity.
To that end, his company has created an assessment strategy and language called FISASCORE/FACTSCORE, which he hopes will be globally adopted. It’s a big bet in a space where lots of others have failed, but you don’t reach the stars without trying. I’ve met Evan. He just might do it.
Bruce Schneier’s Click Here to Kill Everybody
Bruce has been looking at the problems and solutions for decades. Across his career, he tends to focus on the very basic, underlying, foundational issues such as human biology or the larger, strategic issues around how countries and their governments should try to fix the problems. His latest book, Click Here to Kill Everybody: Security and Survival in a Hyper-connected World, focuses mostly on the latter. It’s his ultimate capstone book from decades of looking at the problems, analyzing how governments are trying to improve things, and what it would take to really get progress.
I don’t think anyone is better situated to see the big picture and know what the real solutions are. Bruce is a realist. He not only talks about the best possible solutions, but paints a picture of what he thinks, given the world’s governments, is really possible. I have no doubt that any country, culture or government that implements his solutions will be stronger for it. Any entity ignoring his advice is going to suffer worse problems and pain than they could have along the journey.
You should read these books to really understand the problems of and solutions to our failed industry. Interestingly, they don't overlap much. Each presents its assessment of the problems and what the fixes are. What they agree on is that what we have been doing for over three decades is not working. We need radical transformation to fix our broken industry. It will be fixed one way or another. The only question is if it will happen because of thoughtful, considered planning or in response to some global pandemic compromise.