State of Cybersecurity

Some thoughts on cybersecurity products and the business as a whole

  2. Articles
  3. State of Cybersecurity
  • business
  • cybersecurity
  • business
  • cybersecurity

I currently have two products where I’m splitting my time. The original is, of course, SkySiege, which is a labour of love built off many, many years of experience in cloud environments, where I have seen architectural failures and security issues abound.

I’ve been the person pulled into these horrible situations, even having to rescue a number of projects, environments and, dare I say, companies from complete failure. These events have been testing, straining and all of them preventable. Personality-wise, I have a deep distaste for preventable failure. Mostly because when you pick up the pieces enough times, you start to question why. You learn to see the massive problem when others don’t.

I’m not totally alone in seeing these issues, but it is a rarer condition than it should be. The reality is that people are happy to make do until it all blows up.

Just this week, Instagram had its support AI chatbot change the email addresses for accounts just because you asked it to. That means you could go to the Instagram support bot and simply state that you are the owner of the White House Instagram account and need your email reset and as long as you were somewhere in the United States, the Instagram bot would go ahead and reset it to any email address you wanted.

Let’s be real here: if the priority were less about utilising AI and more about providing secure and reliable systems that aren’t going to blow up in your face, then this would never have happened. But the priority is chasing the quarterly report and whatever objectives dictated from up high. In this case, it’s almost certainly about utilising AI to cut costs, no matter what ill-designed outcomes may come with it.

Therefore, I have another product that I’ve been working on, which I resurrected from a prototype from 10+ years ago. It is meant to provide visibility into unseen analytics and a beautiful, end-to-end, easily visible configuration for analytics and consent, so that people can make good decisions with good data at the end of the day.

It is easier to comprehend, works in an area that I know and understand well and requires a mix of diverse knowledge to deliver. In my research, there are solutions that do some of it, but nothing that does it as cleanly or as easily. I’ve done it in about a month of diminished full-time work due to my other responsibilities, but it’s there, it’s in testing now and I’ve released it into a closed production environment for a few select organisations.

I still work on SkySiege, but the reality is that even though it has value and I have experienced that value, it is a much more difficult and niche responsibility. It adds a burden to my customers to know and understand the pain SkySiege fixes, yet that pain is not known or understood until you have faced it and lived it and breathed it yourself. SkySiege is for the scarred, Truly Analytics is for the ambitious which is most people.

So I will play the long game with SkySiege until it gets to the point where it is exactly where I want it to be. Even though it’s a security tool at heart, it provides full visibility and value across not just security, but costs, architecture and general good practice.

On Cybersecurity

So let’s speak honestly about the state of cybersecurity. It is possibly the worst - or definitely one of the worst - industries for effectively describing risk. That’s why I perceive so much of it’s GTM is fear-based. Additionally, it has so many people talking as opposed to doing that it becomes a cacophony of noise, with very little actionable example-based information out there.

For example, Common Weakness Enumeration IDs (CWEs). They are used for identifying what type of vulnerability exists and how that vulnerability can be classified. However, there are more CWEs given than there are examples of how those CWEs had a negative effect. That’s an absolute example of pontification over concrete risk assessment. There is a lot more attention in talking about how to classify the risk into a CWE rather than how that risk could be a problem.

I think that contributes to the cybersecurity industry being mostly a number of services that simply feed information rather than actionable advice. I also think that’s why there have been so many boot camps and other services that speedrun people into security, as opposed to other technologies like boot camps for mainframes, concurrency or other difficult technical problems. That’s because, at the end of the day, a lot of cybersecurity business is just talking as opposed to doing. Your cybersecurity service probably doesn’t have people that are going to do more than feed you an RSS feed so it’s OK if the sum of their experience is a 28 day bootcamp.

I also think it’s why there are so many security tools with an origin in black-hat purposes, which makes sense, as black-hat use has a much firmer economic value proposition, whereas the white-hat position is less quantifiable. An easy example - if your goal is cash fast, it’s is a lot easier to utilise black-hat tools to break into various Wi-Fi networks and build a botnet, because that has a clear, marketable economic value, than it is to attempt to sell protection from becoming part of a botnet to legitimate organisations.


Please note...

I haven’t built a botnet or gone rogue at any point.

Why?

I don’t think it’s a legislation issue. I think it’s an issue where these problems started to arise and by the time the white-hat market had solidified enough, it was already too late. By then, so much data had already been stolen that the consequences had arguably been lessened and major, embarrassing compromises just are not as much of a deal. They almost give an air of legitimacy to becoming compromised.

For example, Capital One lost so many records and so much sensitive data and yet they have continued on as a business almost unhindered. The white-hat community still points to and talks about Capital One because, yes, it is legitimately an example of serious compromise with serious consequences. And yet the data that was lost is almost an augment to the data that had already been lost from other sources.

In a way, the biggest and most relevant compromises are the Marks & Spencer compromise, which hit them for millions because their business couldn’t operate and the Code Spaces compromise, which killed the business. Those are the real potentials of what can happen. But in the grand scheme of things, a compromise is an unpleasant experience for a business, but often less unpleasant than getting your taxes raised or getting your CEO and head of HR caught on a kiss cam.

Security and cybersecurity do matter, but I think it is going to have to get to the point where businesses start getting destroyed or brutally incapacitated, much like Marks & Spencer. In some ways, that relies on the insecurity of the world as a whole. Something like Maersk’s rebuild from NotPetya had its whole company nearly destroyed. The whole company estate was crypto-ed, barring one unaffected machine in Africa. That machine was then shipped to the headquarters in London to be utilised as a clone to roll out and refresh all machines globally.

A few years after doing that and literally rescuing that company from severe operational damage and potential death, the company sacked all of the IT staff in the London office and shipped their jobs off to India.

You have to listen to the market and the market doesn’t really care about security. Facebook just broke the integrity of all Instagram accounts globally so that they could have an AI chatbot. That’s where the priorities lie and that’s fine. I personally care because I’m in the cleanup jobs that turn technicians’ hair grey and causes humongous amounts of stress that could all be easily prevented.

But I don’t think the majority of humans or the organisations made up of those humans, know that it was preventable until it’s too late.

Queries

Contact