When I entered the private cybersecurity industry last year after more than two decades in British and American security and intelligence services, including a stint at the National Security Agency in San Antonio, I knew it was a step into the unknown.
From the end of the Cold War to Sept. 11 through the wars in Afghanistan and Iraq, much has changed during the last 23 years. In response to this ever-evolving geopolitical situation has been a corresponding evolution in technology and approach to providing intelligence and security — and these changes continue to ripple through the business of security and intelligence today.
What I discovered were stark and unexpected inconsistencies in the industry’s approach to cybersecurity. I found tools and technology that would have made many of my previous missions immeasurably easier and more efficient. But I also observed many of the old approaches, long since abandoned at the national level, still being applied — and generally producing disappointing results.
I agree with Brian Kelly, Rackspace’s Chief Security Officer, who is working to bring cloud competitors together to share security information, when he says — as often as anyone will listen — that we cannot continue to apply yesterday’s solutions to today’s or tomorrow’s problems. The old methodology of ‘setting and forgetting’ a security box, on security box, on security box, is ineffective and it doesn’t scale.
But there are greater challenges facing the cybersecurity industry beyond outdated technology solutions. Three issues stand out: an overreliance on technology to beat a highly-trained human threat, an inability for security teams to communicate security breaches and threats in the language of business risk management and threat intelligence aimed at the wrong audience.
Blackhat, RSA and other security focused conferences are awash with established players and eager startups selling tools that purport to replace security operations centers, big data, scientists or threat intelligence teams. Demand for increased automation, ‘smart’ tools and advanced behavioral analytics is rising. These tools are important aids, but are insufficient in the face of the Advanced Persistent Threat (APT) actor — a well-trained, well-equipped, highly motivated person, who is infinitely more versatile than any piece of malware.
Technology alone will never replace the deep expertise that a highly skilled, motivated and supported human team can provide. Unless we train, equip and empower security analysts to take on the APT actor, we will lose more often than we win.
While there are many examples throughout history where military necessity led to pioneering technology and techniques later repackaged successfully for the private sector, when it comes to intelligence, it seems some lessons have not effectively made the transition.
Intelligence failures around Sept. 11, Afghanistan and weapons of mass destruction in Iraq were brought to the world’s attention by a number of reports and investigations that drove deep root and branch reform in the way intelligence services on both sides of the Atlantic approached reporting.
Yet commercial intelligence products today read like the reports of yesteryear. Valuable lessons learned around impact, reliability and readability have not made the leap, while the concept of ‘actionable’ has become diminished to mean little more than automation around intrusion detection systems.
At its core, intelligence must influence and inform decision-making — otherwise it is simply information. I can’t count the number of time I’ve sat in on executive-level, “strategic intelligence” updates, listening to one intelligence analyst or another drone on about how they had correlated one attack that happened months earlier to another that happened yet more months earlier.
So what? Post-event correlation is a useful analytical process, but in and of itself, it is not intelligence.
What use is that to an intelligence customer? For intelligence to influence and inform decision-making, the target audience must include security leadership — because it is they who make decisions. Intelligence producers must understand the intelligence requirements of the customers they serve (What keeps them up at night? What should keep them up at night?) and seek to answer those requirements. Challenging? Yes. But actionable intelligence must not be limited to analysts or the tools they use.
At the same time, I’ve seen chief security officers and security teams at various companies struggle to communicate the gravity of security incidents in a way that makes sense in the boardroom, where decisions are made.
The Sony hack and other well documented attacks are helping, but the struggle continues. I can’t emphasize enough: the threat landscape has changed; the risk to customers’ businesses has changed. Five years ago, three years ago, even a year ago, security was dominated by technical experts doing technical things in the background to make companies feel safer while going about their business.
But the rise in sophistication of hackers, especially around APT actors, has changed everything. Companies are coming to understand that hacks are no longer just a commercial inconvenience. Today, a security breach can be an Armageddon event for a company, threatening not just the business, but even leading to individual lawsuits against startled board members.
The communication of security risks can no longer afford to be a technical conversation; it must be a business risk management conversation. Security reporting absolutely should include the technical details analysts need, but Chief Security Officers and other key security figures must also be leaders who can help business by speaking the language business understands.
They say admitting you have a problem is the first step towards fixing it. Private sector cyber security and intelligence is definitely facing challenges, and fixing them won’t be easy. But having a clear picture of the problems we’re trying to solve is a good start.