This is the first installment of a four-part series on the equal nature approach to cybersecurity.
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
What is Cybersecurity?
The answer to “What is Cybersecurity?” changes every couple of years based on how the industry views threats to networks and the available capabilities to counter those threats. The capabilities available have matched the increasing knowledge of the developers and security experts, but the information used to develop the capabilities has been in response to what the malicious actors do, not necessarily what can be done to prevent the successful exploitation of the vulnerabilities.
So, what is Cybersecurity?
In today’s world, Cybersecurity stands for the actions done to protect your networks from exploitation. This is a simplistic view of what Cybersecurity is, but sometimes simplicity is what’s needed to properly explain an issue with this many nuances.
Early Network Protection Practices
Some of the earliest thinking about network protection was to keep the responsibility in the hands of the “experts”, or, rather, networking professionals. Who else could possibly understand what it takes to protect a network than the people who built and maintain those networks? The problem with that thinking is the network you built structurally is what you put in place, but what runs on those networks is built by third party developers and used by the general public. Yet, no fault can be blamed on those early practices, as they worked, but not for long.
Defenders slowly started to gain ground on the attackers, able to implement defenses which created problems for the malicious actors. That did not last for long, as the malicious actors have the benefit of time to research and exploit vulnerabilities throughout the network, with defenders always having to react to those exploits rather than with proactive measures.
Shifting to a Proactive Approach to Cybersecurity
The malicious actors started to outpace the defenders, causing a change in the community from reactive defense to the proactive measures which are required to properly defend. However, the proactive measures initially deployed were quickly outmatched by the malicious actors.
The initial proactive measures used by network professionals were all technology based. This was not a bad method, but technology requires information, information which has been proven to only be available after a successful exploit. The malicious actors realized they must change tactics again to be more successful, changing to social engineering work and the rise of spear-phishing attacks. This too can be countered through technology, but it is always behind relying on already occurring spear-phishing campaigns.
None of this is news for any cybersecurity professional and is not offered up here as a referendum on how cybersecurity has progressed in the last 15 years. It is only here to provide a level of background as to how cybersecurity has progressed and some of the thought progressions involved.
In the past couple of years the network security community has slowly evolved to a new way of thinking of how to conduct Cybersecurity, and while it may not be the final answer, it is an approach which has learned from the past and works to provide balance for organizations in their network security.
“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.”
The True Nirvana of Cybersecurity
The new approach works to find balance between three areas: people, process, and technology. These are routinely shown in an equilateral diagram graphic, demonstrating the equal nature of all three areas.
The equal nature approach is the true nirvana of Cybersecurity, the ability of every organization able to bring the resources and priority to protecting their networks. Yet this is not how the real world works.
During the next three posts I will dive deeper into what people-process-technology means, focusing a post on each side of the triangle. The posts are to outline what each part of the triangle means in a perfect world, but also to show that even organizations which may not have all of the resources of a larger corporation might be able to increase their network security and provide protections against the malicious actors.
Cybersecurity is not the ability to throw a piece of technology on your networks, but how to approach each facet of the cybersecurity triangle and implement the most effective version.
Photo credit: Brook Ward