True independence is a rare commodity in the Cyber Security world
There is an incredible amount of material online and on social media around cyber security. But the vast majority of it is either sponsored by technology vendors or directly associated with them. They range from start-ups or specialised software houses (large and small), all the way up to industry heavy weights. They sponsor industry events, conferences and publications of all sorts, including the specialised supplements of many broadsheets and magazines. They produce white papers, reports, surveys and the like, in numbers sufficient to fill several bookcases every year.
Broadly speaking, those reports have been saying the same thing for the past few years: Cyber threats are evolving faster than people can react; investments in cyber security are insufficient to keep up; maturity stays at low levels in large corporations and across the public sector; it must now become a “Board-level priority” for things to change.
Some of those aspects match what we observe in the field every day, but the overall message coming from technology vendors is simplistic and has 2 major flaws:
1- It tricks large corporations and the general public in believing that cyber security is something new
This is not the case. Cyber threats have not appeared overnight. In fact, they have been evolving for the best part of the last 15 years and therefore there is a vast body of good practice that will go a long way to protect any business.
But those good practices have to be in place, and often are not. Cutting corners around those on grounds of costs or convenience simply creates opportunities that cyber threats can target. And indeed, many recent breaches seem to relate to the absence of security controls that have been regarded as good practice for years and should have been in place.
The sad reality is that, in spite of decades of spending in the information security space, many large organisations are still struggling today with problems going back to an era where security measures were seen as a necessary evil imposed by regulations – at odds with functionality and preventing innovation and agility.