Popular culture has done one thing for the cyber security profession; make it seem relatively cool. A standard crime or action drama has trendy cyberpros, fingers dancing on slick keyboards while reams of incomprehensible text or graphics scroll smoothly by. These folks are abnormally attractive, luxuriously ensconced in palatial trendy offices who report to serious, considerate, worldly leaders.
Sadly in reality the script is entirely flipped. Most security folks desperately try to make the case for an organization to patch their hardware, eliminate access to insecure consumer technology and make do with skimpy budgets. Security tools are purchased without training or robust implementation services, staffing is minimal and technology and security risks remain unmanaged at the enterprise level. Offices are micro-cubicles that are harshly lit with soul-sucking corporate florescent. No tasteful coffee bars or inviting work nooks to be found. Plus I look exceptionally stupid in slouchy beanie.
One area that meshes with TV reality is the plethora of security tools in the enterprise space. Firewalls, IDS/IPS, SIEM, Endpoint, Asset Managers, Vulnerability Scanners, Policy tools, ad infinitum. Over a dozen screens with hundreds of reports, alerts and klaxons complete for the few infosec folks who attempt to reduce the risk of a data breach on a daily basis. With the enterprise security market flooded with products equivalent to the melon baller, security vendors are churning out more products that 80 percent of the market will never use or at least use effectively.
Not content with data overload with SIEM tools, vendors are flogging User and Entity Behavior Analytics (UEBA). This tech has been out there for the last few years, normally snapped up by earlier adopters with far larger budgets and people than the rest of the pack. Purported to provide the ability to determine if normally good users are acting in a malicious way or use predictive analytics to determine where the next attack will come from, this technology does the ol’ wink and a nod toward the theory of making an organization 100 percent secure. Which is, of course, impossible. For one the tool requires the extensive use of a security-centric analytics program, at least a team of three people and an enterprise maturity level that has gone beyond arguing over why executives shouldn’t use DropBox.
For my money and if I had a wish that could be fulfilled, I’d get senior leadership to consider IT and Security risks as critical as financial ones. Which means hardware would be patched, users would be trained and existing tools would be configured and supported correctly. No need to spend another 500k on more lights that blink or ridiculous dashboards.
Let me know your thoughts in the comments below.