Since the pronouncement of the latest breach, I’ve heard a lot of talk about who, how, where, theories on why or what’s next, and suggestions on remedies. I’m not sure we’re asking the right questions.
Like 90+% of the last 10 major attacks (interesting word, more on this later) we’re willing to bet it came from a Nation State. Again, we learn they had persistence for quite some time, but we speculate about their true motive. We know it will cost us $ to work the issues (some more than others).
Thomas Lyden, on the Customer Success team at RiskLens, has 20 years of senior leadership experience in cyber at SAIC/Leidos, EY, and many startups in the security field, serving government and commercial clients.
I’ve heard a number of experts and officials comment on the SolarWinds news and frankly I’m more than disappointed. I heard one say we need more “threat intelligence sharing” – OMG, the ISACS’s again are the answer. Others point to DevOps and secure code development/testing. What struck me was what I haven’t heard.
I haven’t heard that there is a tool, technology or method that prevented it or detected it in any valuable timeframe.
So then what value (economic return in risk reduction) are the tools you’re buying providing? Should you be paying any more for your perimeter technology, your threat intel, what about that $M EDR platform, or whatever else you have up and down the stack?
If it was a Nation State and an attack, ask yourself why the status quo from institutions such as the DoD, NSA, CIA, Homeland Security, State Department was not effective in deterring and preventing harm from those actors. I believe the status quo has failed all of us, and will continue to fail because there is no accountability. We hear all the excuses as to why we can’t prevent this. We know who these actors are, and literally what facilities they work from, and we couldn’t prevent it?
With every other domain, there are international rules of use (doctrine) and when you break them, there are consequences supported by the rest of the world. A domain now thirty years old and what progress has been made here?
Getting to the Right Questions on SolarWinds
While I see no changes to this picture anytime soon, what I suggest is that business leaders spend real time (not one hour a year at the December board meeting) thinking about this question: Is your cyber risk a technology issue or a business one?
By that I mean, think first and deeply about your ecosystem from the business/economic side long before you think about it from the cybersecurity technology side (i.e. threat and vulnerability).
Break it down to the asset level and then work all the scenarios that could have an economic impact on said critical assets, measure that impact in business ($) terms and then and only then make decisions from there (Accept that $ risk, Transfer that $ risk or Mitigate that $ risk).
In addition, hold both the public institutions as well as the cybersecurity vendor community that are meant to protect us from foreign adversaries accountable to do just that. And be persistent in not just asking, but demanding that they are clear about the amount of risk they reduce relative to the investment you are making in them. Whether it be in a purchase contract or the taxes you pay, treat your cyber risks like you would any other major investment you make.
In short, has a threat and vulnerability approach worked or should you take a real financial risk-based approach?