Cybersecurity professionals are no match for cyber-adversaries

Cybersecurity professionals are paranoid by nature. That’s not a bad thing; it’s a job requirement. We want our cybersecurity team to “think like the enemy” to discover and remediate vulnerabilities as rapidly as they possibly can. 

Aside from this cynicism, my cybersecurity friends also take great pride in what they do. Like Elliot Alderson from the TV series, “Mr. Robot,” many cybersecurity professionals want to save the world (from hackers and the like).

With this profile in mind, some of the data from the latest report from ESG and ISSA fits with this professional mistrust. (Note: I am an ESG employee.) For example, 91% of cybersecurity professionals surveyed believe that most organizations (other than their own) are extremely vulnerable or somewhat vulnerable to a significant cyber attack or data breach (i.e. one that disrupts business processes or leads to the theft of sensitive data). 

This question has been included in the survey for the past three years, and the results haven’t changed a whit and is one indicator of just how bad things are. 

As part of this year’s project, survey respondents were also asked about the balance of power between cyber-adversaries and cyber-defenders. The results were equally depressing – 59% of respondents believe that in general, cyber-adversaries have a big advantage over cyber-defenders, while 34% claim that cyber-adversaries have a marginal advantage over cyber-defenders.

Why the imbalance? Cyber-adversaries are well organized and cooperative. There are strong divisions of labor and even customer services between coders and criminals. Cyber-adversaries have access to hacking tools written by government intelligence agencies with advanced skills. Finally, hackers can afford to be persistent and patient.  It’s OK for them to experiment, fail, re-group, and try again. Sadly, a skilled adversary can find their way into networks with a bit of sweat equity. 

For those of us who live in the world of cybersecurity, these results aren’t surprising, but they should be alarming to everyone – business people, legislators, consumers, and citizens. The battlefield is heavily tilted toward black hats, with cybersecurity professionals constantly fighting uphill. 

Pure and simple, the ongoing cyberwar isn’t a fair fight. We as a society need to accept this reality and put more effort and resources into balancing the playing field. Technology hyperbole and arm waving won’t cut it. 

Note: The ESG/ISSA research report, The Life and Times of Cybersecurity Professionals, is available for free download. We encourage all interested parties to read the report and provide us with your feedback.