Critical Mass

I recently attended Infosec Europe, held at the ExCel in London’s docklands. For those not familiar with this UK exhibition centre, it is vast! The site offers approximately 90,000m² of exhibition space divided into 44 exhibition rooms of approximately 2,000m². Infosec Europe used seven of these halls (S1-S7) openining out into a single space covering a total area of over 13,000m². In other words, it was huge! Filling the space were nearly 400 exhibition stands, the majority of which were occupied by scores of people from organisations that sell products relating to cybersecurity. There were also thousands of visitors, people like me who were there to network with other cybersecurity professionals, learn about the latest trends, speak with potential suppliers and create opportunities for collaboration.

I described my visit to the conference as both overwhelming and underwhelming. The main benefit of an event like this is the opportunity it affords to expand my network and meet former colleagues, clients and friends. The downside of an event like this is the number of former colleagues, clients and friends I wanted to see! I met some, but ran out of time to meet many others. This frustration was surpassed by the nauseous feeling that had been growing during my visit. The pit of my stomach was struggling to overcome the expanse of the venue mixed with the acerbic over-consumption of the plethora of technologies proclaiming to be the solution to our cybersecurity problems. I lost count of the number of marketing slogans containing words that shout “100% secure” at the top of their voices. The senses were taking a battering — I did not have the requisite variety to decipher what I was hearing or seeing.

The sea of smiling faces and cacophony of confident voices masked the silent elephant in the room. With all these ‘solutions’ on offer, cybersecurity is struggling to overcome the growing number of data breaches, the year-on-year costs associated with managing these data breaches, and the growing number of victims of cybercrime. If there was a silver bullet among the products and services on display within the exhibition hall, it was not apparent; although I am very doubtful there was one. In fact, that is the problem, many of these organisations sell their wares on the premise that they can succeed in reducing cybersecurity risk to zero, yet there is no evidence on display to show this to be the case. So I left the venue feeling overwhelmed and underwhelmed and unclear how these organisations can effectively manage the problematic situation we face in digital technology from cybersecurity threats.

That’s not to say that there were no organisations offering some great tools. Indeed, many of them do, but they are not in the position to solve the complex problems associated with cybersecurity through technology alone. There are changes that can and ought to be made within an organisation to manage the risks associated with cybersecurity. For example, create a learning culture and allow engineers the autonomy to develop standards for securing the products they develop and manage; set strategic direction on security within the organisation and communicate this effectively throughout the organisation; and emphasise the need to reduce waste associated with developing insecure products that ultimately affects profit.

There will come a point when the plethora of businesses offering cybersecurity tools will hit a critical mass. Some businesses will be acquired, others will merge together, and some will simply fade away. Buying tools ticks boxes, it gives the appearance of addressing security. However, I believe that a focus on people and practices within an organisation to improve cybersecurity is often overlooked. Therefore, I’d like you to consider the following as I close this article: how can your organisation develop a strong cybersecurity culture to integrate the right technologies and practices into value streams for protecting the assets you manage? Hint… tooling is not the answer!