Why Cybersecurity Requires Process Engineering

Surviving Armageddon

Helen Patton

--

For those of us who follow cybersecurity trends, we are in a time period of struggle and angst. I don’t remember it being quite so grim before. Where ever you get your information, even if you don’t work in cybersecurity, the feed is full of stuff going wrong. Do you see what I’m seeing?

  • Increased volumes of attacks, not just ransomware, but general data theft and other mischief, that are impacting multiple organizations simultaneously
  • Attacks that have severe consequences — loss of life, business-killers, critical infrastructure impact
  • More government regulations — mostly quite sensible, but landing on organizations without the means to comply
  • Cybersecurity layoffs — at a time when companies need security more than ever, heads are rolling in the name of efficiency not risk management — a bill that will come due whether the security teams are there to support them, or not
  • New company liabilities that land directly on the Chief Information Security Officer — who often lacks the liability protections of other c-suite members
A black and white picture of a mushroom cloud

This isn’t just the warning shot across the bow, it feels like we are in a full-on war. Between attackers and defenders, regulators and companies, security teams and business leadership.

“The more technological a society is, the greater the security gap is.” — Bruce Schneier (2012)

In Cybersecurity, our focus has historically been on defending against “the attacker”. We’ve put all our energy into defense against the TTPs (tactics, techniques and procedures) used by external attackers to infiltrate our systems to cause harm. Our boards and c-suites ask what we’re doing to protect against these external threats, our security leadership is putting resources towards identifying IOCs (indicators of compromise) to more quickly identify when something is going wrong, the security vendor ecosystem is spending billions on protection, detection and response capabilities, and we celebrate security researchers who ethically identify and notify companies about zero day vulnerabilities. Great.

Except it’s not great. Companies, even super-rich-have-all-the-resources companies are…

--

--

Helen Patton

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at CISOHelen.com or on Twitter @CisoHelen or on Mastodon @cisohelen@infosec.exchange