There is a fracture in our modern way of life. The crack is imperceptible to most, even though it’s a dire threat. The public sees the recent headlines about the HBO hack and the company’s proprietary information being held ransom for $6 million, or reads reports of last year’s DNC breach. But these news stories don’t inspire anxiety the way that, say, a terrorist shooting would. Perhaps understandably, the concept of leaked “Game of Thrones” episodes or illicitly shared emails seems, to many people, cause for personal embarrassment, not national emergency.
When it comes to cybersecurity, companies need force fields, not walls
The threat landscape has changed so dramatically, so fast that it has outpaced previously sound security practices.
Now imagine that the same bad actors attack the U.S. electric grid with malware and cause a multistate outage. (It has already happened in other countries.) Or cyberterrorists breach our water-treatment facilities and tamper with the ratio of chemicals in the cleaning process. Or what if so-called “black hats” shut down ATM networks and the banking system — do you have paper statements or screengrabs of your last balance to prove how much is in your accounts?
Imagine being deprived of electricity, water or money for food and medicine. Does that now qualify as grounds for alarm?
If the challenge is analyzing the inhuman scale and speed of today’s potential threat incidents, then companies need an analytical system that isn’t constrained by human limits.
Cybersecurity is no longer a matter of protecting against mere nuisance. Over the past 15 years, the digital threats to our physical lives have become graver, and the perpetrators of them more capable than most people realize. As the financial rewards for breaching institutions grew, amateur hackers gave way to professionalized cyberterrorists. Nation-states are putting young people through school and then aiming them at other countries. And as we saw with the Sony Pictures hack of 2014, nation-states are even directing attacks against specific companies.
It’s these major companies, in fact, that are the most attractive targets. Unfortunately, enterprises today are dangerously ill-equipped to mitigate their risk of a breach. Having spent my career in IT and software security, I can attest that the measures that companies are presently taking are only providing them with protection from potential legal liability, at best.
To an extent, it’s not their fault. The threat landscape has changed so dramatically, so fast, that it has outpaced previously sound security practices. The problem is twofold. One part of the problem is insoluble; but the other, businesses can remedy — and have no existential choice but to do so.
The first part of the problem is that there’s been a flood of digital information in the last few years. Of the data that currently exists in the world, more than 90 percent of it was created in the past two years alone. Moreover, this storm front of data is amassing exponentially, not linearly.
We walk around with devices in our pockets that have more processing power in them than Deep Blue did when it beat Kasparov at chess 20 years ago. We use these smartphones to take 85 percent of the digital photos that will be captured this year, and to send out tweets, which in the past two years contained more words in aggregate than in all books ever published. Meanwhile, businesses are hungry to collect the maximal amount of data they can about our shopping, driving, dating, styling and all our other life habits.
The second part of the problem is that this data surplus drives a people shortage. The way that cybersecurity works in large companies today is that their security operations centers are the first line of defense against possible breaches. These SOCs are staffed by analysts, usually relatively junior, whose job it is to find the signal from the noise in all these data. They review detection alerts, interpret and pass judgment on whether it’s an actual threat, and then contain or elevate the threat.
The problem is that there are simply not enough people with the skills to meet current, let alone future, demand. There are nearly two million open security positions today. It’s not feasible to train enough people in time to fill these existing openings, much less keep pace with the accelerating need. What this means is that there are almost two million security gaps in the defenses of our most valuable and important companies. The ones that haven’t being hacked owe more to luck than their cybersecurity protocols.
Machines can review incidents faster and more consistently; they can detect anomalies across data sets that no person would catch, and they can work 24/7/365 without fatigue, ennui or bias.
The analyst-shortage piece of the problem, however, can be addressed if businesses have the foresight and prudence to completely rethink their approach to cybersecurity. Namely, if the issue is that there not enough qualified people for the current security model to work effectively, then they need a solution that isn’t as reliant on people. If the challenge is analyzing an inhuman scale and speed of potential threat incidents, then they need an analytical system that isn’t constrained by human limits.
There has been a lot of discussion lately about robots and artificial intelligence taking away jobs. This is not that. There are simply not enough people for the security roles that are needed, and no way to train sufficient numbers to keep up with the ever-growing dangers. Machines can review incidents faster and more consistently; they can detect anomalies across data sets that no person would catch, and they can work 24/7/365 without fatigue, ennui or bias. Moreover, freeing human analysts from the trenches of enterprise security allows them to focus on the kind of higher-order decision making of which computers aren’t capable.
Five years ago, we didn’t have the processing power or sharply focused enough algorithms to teach machines the judgment of a seasoned cybersecurity expert. But now we do, and it would be malpractice if companies didn’t deploy this technology to protect themselves.
We’re at a discontinuity, and we need to jump to the next curve. Cybersecurity isn’t something we can get better at a little at a time. The threat is growing exponentially, therefore we have to improve exponentially. Realize that the old defenses are crumbling. Businesses can’t continue to chase cracks and patch faults. They have to stop thinking walls and start thinking force fields.
Mike Armistead, CEO of Respond Software, is an industry veteran with three decades of leadership experience in the security, application development and consumer internet arenas. He co-founded Fortify Software in 2003, and served as VP and general manager for both the Fortify and ArcSight business groups after the companies were acquired by HP in 2011. Reach him @ArmisteadMike.
This article originally appeared on Recode.net.
