Working in cyber security sucks. The industry is expensive, complex and always changing. Among the individuals we meet from various organizations, there is a general feeling of nervousness about the environment in which they are working: shrinking budgets, increasing regulation, constant threats and confusing terminology. If there is one windfall for the 2023 cyber state of the union, it would be summed up in one word: disappointment. Let us know the reason for this.

Over the past few decades, we have been taught that purchasing safety equipment is the best way to protect ourselves. First, we purchased firewalls, then we purchased anti-virus, and finally, we purchased a security information and event management (SIEM) solution or data lake. Recently, it has become a complex decision tree of the alphabet soup of the latest convention: EDR, SASE, IGA, CTI or XSPM. But the unfortunate reality is that we’ve purchased all of these devices – and yet they’ve been breached. Why?

The problem with this approach is that cyber is a systemic challenge that we are treating with independent point solutions. Personal cybersecurity tools are not designed to defeat attackers; They are made to sell. Each device sees the world from its own individual perspective, without regard to what its partners are doing. Consider the different chess pieces: pawns, rooks, and knights each have their own distinct abilities and ideas about the board. By ignoring the combined capabilities of these pieces without looking at the chessboard as a whole, the king is likely to be exposed. This is not a winning chess strategy—and certainly not a winning cybersecurity strategy.

If we want to improve our cybersecurity effectiveness, there are three existential truths we need to accept:

1. The cyber adversary is a human being on the other end of the keyboard who is incentivized by return on investment (ROI). The desire to steal money is arguably as old as money itself, and technology has only provided new means to do so. Admittedly, some threat actors specifically seek intellectual property theft, surveillance, or physical disruption (e.g., military operations), but make no mistake: retribution is still the objective. The opponent has a clear motivation to do something new, which leads to truth number 2.

2. Investment in cyber security must continue to grow. Given the persistence of an adversary, all cyber tools have a shelf life. Unfortunately, this means that cyber is not something one can “set and forget.” Rather, regular reviews are needed to ensure that threats are not moving around or through the controls we have implemented. We need to be prepared to invest as much time in protecting our businesses as cyber adversaries invest in avoiding the traps we set. Cyber ​​will always need to evolve with business initiatives, technology developments and emerging threats.

3. If you fail to expect, you can expect to fail. If you are not thinking of at least three chess moves, chances are your opponent will win. Businesses that are not investing in cybersecurity as a fundamental business enabler are ultimately subject to failure in cyberspace. This does not mean that cyber perfection is the goal; Instead, flexibility and responsibility are more realistic endeavors. Cyber ​​doesn’t need to be dominant if you cover the basics, partner with the right defenders and always expect a rival at your digital doorstep.

If we stop chasing tools and start adopting cyber as a comprehensive system to keep out a thinking, breathing, human adversary, we can think holistically about how to secure our business. is (or vice versa, how we are exposed). Systematically integrating cyber controls is a prime example where the whole is greater than the sum of its parts. Do we have too many pawns and not enough knights? Are we able to integrate our tools to extract maximum value from our existing investments? Are parts of our business particularly attractive and vulnerable to attackers? If we change our thinking to the current reality and ask ourselves the right questions, being in cybersecurity is not a waste of time.

