There is no Silver Bullet for Cyber Security
A customer recently asked me to obtain written assurance (from a technology vendor) that this vendor’s technology has never been breached and will never be breached. In essence, the customer was looking for written assurance and guarantee of ‘no vulnerabilities’ – not in the past, and not in the future.
I must politely state that I found it to be an unfair ask from the customer. It is a step beyond asking a car manufacturer to guarantee that their vehicle will never break down. Asking for technology that cannot be breached is like buying a car, and asking for a guarantee that it will never be broken into.
Cyber Security vendors, too, need to be careful in how they market their products. Exaggerated promises and lost in translation communication, create unrealistic expectations.
The inevitable nature of cyber breaches
In the age of digital transformation, the adoption of emerging technology constantly widens the target attack surface and creates new points of vulnerability. Organisations develop new customer-facing applications which also become subject to attack. Insider threats have not gone away either. Cyber Security is becoming more work over time, not less.
The nature of cyber threats changes over time. For example, AI was heralded as a magic bullet for protecting applications and networks – but AI is security problem as a well as a security solution. Almost any tool or technology used to protect against hackers can be used by hackers to perpetrate an attack.
Threats evolve, and as a response, CISOs invest in new cyber defence technologies, expecting guarantees that it will strengthen their network defence. But this is a false home. Cyber security technology is always ‘just another technology’. It needs to be implemented and used by experienced professionals, for its purpose, and inside scope. Technology never works in isolation of people and processes. Any vendor’s solution, no matter how good, must be implemented with the right frameworks to achieve a secure and reliable outcome.
The inevitable solution
The solution to this issue comes down to the right people asking the right questions. Asking whether a security technology will ‘guarantee’ data protection will only lead to one answer: no, it will not.
The better question to ask a vendor concerns threat detection and response. How will this technology improve my ability to detect a breach? How will it improve my ability to respond? Where does the platform’s capabilities begin…and where do they end? What else must I have in my arsenal to protect my organisation, my business partners and customers, and our data?
Focus on the goal
Our overarching goal is deterring and discouraging professional cyber criminals. We can do this by detecting attacks 24×7 and responding so quickly that the hacker never gains anything of value. We have a responsibility to make our systems difficult to penetrate, but we should never ever make impenetrability our goal. Again, the goal is deterrence – and protecting data as a result – not finding the ‘cure’ or the ‘solution’ that makes our systems impossible to hack.
Cyber-attacks are inevitable. There is no magic bullet cyber security solution yet. Of that we can be sure.
When there is a magic bullet for cyber security, I will become a yogi!
If you would like to give your organisation the best possible chance of detecting and defeating the many cyber attacks it is exposed to, contact us for a confidential discussion of your needs.