In the Q&A following a keynote I gave two weeks ago, a gentleman asked me “when are we going to solve this cyber thing so we can get back to business?” I told him I had bad news, we are never going to “solve” the cybersecurity challenge. This is a problem that will be with us for the foreseeable future. There is good news however. It is manageable as long as you correctly characterize the issues and accept the fact this is fundamentally a leadership challenge.
No matter what your business sector, you rely on the ability to operate in cyberspace. The same goes for our government and especially so for the Department of Defense. Public sector or private sector, you use cyberspace to get information, move information and use information to make better decisions faster than the competition. And we are not going back. Our reliance on cyberspace is here to stay, so we need to understand how we are going to handle the risk. An important initial step is to correctly characterize the problem.
First, we have to accept the fact that from a technical perspective there is no perfect defense. And that is not because of our technical capabilities; it is because we let humans use the network. As long as our users are human, expect someone to click on that phishing email, someone else to plug in a thumb drive they got at the last conference, someone else is going access a file sharing site filled with malicious activity and in the worst cast, someone is going to become a disgruntled insider threat. In all of these cases, a simple action by a human will allow an attacker to bypass the majority of defenses put in place by the security team. So, first it is a people problem.
The second characterization of the problem is the relationship that exists between the offense and the defense. No matter how efficient and effective the defender becomes, he will always be behind the offender for several reasons. For one thing the defender must block every attack to be considered a success, while the offender only needs to succeed once and he is in. A second issue is the cost of offense vs defense. By some estimates the cost of the attacker is as little as 10% of the cost borne by the defenders. Finally, the nature of technology means that no matter what solution the defense employs, the offense will find a technical counter resulting in a never ending spiral of competition between the technically skilled. These characteristics all reinforce the concept that there is no permanent technical solution to the problem.
The third aspect of the problem is accepting our reliance on cyberspace and understanding why that creates risk. We have to answer this question: “What level of risk are we willing to accept to enjoy the benefits we gain from operating in cyberspace?” Every business relies on access to cyberspace to compete in the marketplace. No one can afford to disconnect from the internet. And, almost every business has critical data or intellectual property that is accessible through cyberspace. Since we cannot “unplug,” cybersecurity becomes a risk management problem. Risk decisions are made every day with regard to financial risk, operational risk, legal risk and other common risk categories, but the tradeoffs involving cyber security are less quantifiable and less well understood. The result tends to be a focus on the issues that are easier to assess and cyber-risk is delegated to those who are responsible for the technical aspects, but may not have insight into all of the business ramifications. A holistic view of cyber risk is critical since cybersecurity touches almost every other risk category.
There is no magic box to keep the Russians and the Chinese out of the network which is unfortunate, because solving a technical problem is actually easier than addressing the people issues and the complex risk management problem. So our ability to manage this risk will come from good leaders who establish an organizational culture where cybersecurity is a component of every key decision. Fortunately, good leadership is technology agnostic.
