Skip to main content
 
au
  • The Wellington City Council (WCC) wanted to deliver quality outcomes without breaking the bank. Find out how Planit’s fast and flexible resources helped WCC achieve this goal.

this is a test Who We Are Landing Page

Amplify
DoT
 
       

INSIGHTS / Articles

10 uncomfortable truths about cybersecurity

 24 Oct 2024 
10 uncomfortable truths about cybersecurity 10 uncomfortable truths about cybersecurity
10 uncomfortable truths about cybersecurity
INSIGHTS / Articles

10 uncomfortable truths about cybersecurity

 24 Oct 2024 

I’ve been around for over 30 years in this field and have seen a slew of misrepresentations and common lack of knowledge when it comes to being cyber secure. So, here’s a collection of the ones I’ve encountered on many occasions with a few of my thoughts.

1) Cybersecurity is a business risk

Cybersecurity is everyone’s responsibility. Not just IT, not just the security team. Be vigilant; it's part of everyone’s job to keep an eye out.

As often said, a chain is as strong as its weakest link. That link could be anyone or anything, from an employee who clicks on a phishing email, a manager who approves a risky piece of software to be installed, or a third-party vendor with access to sensitive data. Cyberthreats exploit human error, not just technical flaws, and this makes everyone in the organisation a potential target.

Rethink your role in staying cyber safe, whether you’re in marketing, finance, people & culture, or on the front lines, everyone has a part to play in protecting the business. Vigilance is not optional; it is a critical part of your day-to-day job. Report phishy emails, follow your data protection policies, report risky behaviour, and encourage a culture of awareness.

A cyber aware culture needs to be fostered and woven into the organisation. Thinking “cybersecurity is someone else’s problem” makes you the problem by leaving the door open for an attack.

It’s not just keeping the hackers out; it’s about keeping the entire business safe, and we all play a pivotal role in this.

2) Success in cybersecurity is beyond technical skills and certifications

HR departments around the globe typically measure how skilled someone is by the list of certificates on their resume, glancing over experience or extracurricular activities. A resume never shows the true “hacker mindset”; how people overcome challenges and setbacks, how one can think around problems on the spot, and how people align their efforts with business goals.

The hacker mindset is more valuable than certifications. This way of thinking is inherent to a person and cannot be taught through a course or a training. It is a combination of curiosity, critical thinking, and an insatiable drive to understand how things, businesses, and people work —and how you can make those sing and dance to your tune. The best professionals in the field know we’re playing a game of cat and mouse, and cyber defence isn’t a game of statistics. This requires a quick mind with deep understanding of what you’re defending and your potential adversaries.

To truly stand above, a cyber pro needs to understand that cybersecurity is there to qualify and quantify risks to the business value proposition and that in its core, the field is about aligning efforts.

It requires more than technical prowess; it requires strategic thinking, an understanding of business operations, as well as the ability to effectively connect with stakeholders. Speak the language of the business and frame security initiatives in terms of business outcomes rather than technical details.

The cybersecurity pros that really add value know how to bridge the gap between security and business.

This is where true talent hides, between certificates and experience, and talent acquisition teams have been notoriously bad at identifying these traits. The best professionals I’ve met didn’t have arm-length lists of certifications and accolades; they show curiosity and can, with a few questions, uncover the true pain points and root causes. When they do this with just a few answered questions, it seems like magic to most people how they zoom in on where the issues live.

To become an absolute pro in cybersecurity, you must love the challenge and be willing to put in the effort and time to hone your skills —not only in the technical field but also in the business and interpersonal field. Always be hungry for more knowledge and dig deep when you find a well. Be eager and willing to go from the bits and bytes to business strategy. Hack ALL the things!

3) You will be breached. It’s not if - it’s when.

100% security is impossible - you will be breached. There will always be a weakness, and it's not about throwing technology at the problem that will make it go away. Don't focus only on preventing a breach, also prepare for a breach.

Failing to plan is planning to fail. Build and plan for early detection, correction, and swift recovery, while containing the damage and fallout. Build a strategy for early detection. Establish a rapid response plan. Involve the entire business. Create a comprehensive communications plan.

Move from visibility to observability. Visibility is a point in time, observability spans over a period of time. The earlier you know you have someone roaming with malicious intent, the sooner you can act to prevent further fallout. You must be able to understand what’s happening, why it’s happening, and what you can do to stop it. Correlate signals, identify patterns, and anticipate an attacker’s next steps. Disrupt the attacker before they can disrupt you.

Plan for breaches, not just prevention. Proactive is the word.

4) The skills shortage isn't just a people shortage

This is a two-parter:

  • Security is wider and deeper than most think. Hiring departments see a set of bullet points of skills, not understanding many of these take up to a decade to become proficient in. Don’t fall for the unicorn fallacy.
  • Lack of investment in training. Often organisations are very unwilling to invest in proper training. Companies expect their hires to be fully formed, skilled in everything, and ready to hit the ground running. Cybersecurity is a fast-paced field that changes on a nearly daily basis and requires continuous upskilling. Building a talent development pipeline is pivotal to long-term success.

Going forward: focus on Hire and Build, fill immediate needs AND nurture, building talent from within. Or else you’ll create a revolving door, where talent just walks out of the door. Commit to mentorship, professional development, and career growth. This fills the gap and supports loyalty which retains talent and builds more resilient cybersecurity teams.

Remember it costs more to hire when tenure is low than to build and keep tenure high.

5) Technology alone won't save the day

Small case study: I’ve seen very expensive gear deployed to inspect “everything coming in and going out of the network”. My assignment was to review the effectiveness. It turned out it wasn’t that effective. The deployment was done halfway, any encrypted traffic was just passed through because the crypto was not being stripped at the device.

It was running for years, and all those years gave that organisation a false sense of security. Senior leadership patted themselves on the back because “it’s enterprise gear high-end turbo super big security vendor name and leader on various magic quadrants”.

I found a few more issues. For example, no one even was looking at what the device was raising in this current limp mode setup. It wasn’t even kept up-to-date and was running signature databases that were three years old. In addition, they had a nice n-1 firmware policy, yet the firmware was eight versions behind because there was nobody taking care of this expensive piece of kit.

This isn’t the only time I’ve encountered expensive gear that just heats the air and provides nice blinking lights. Tools can detect threats, analyse risks, and automate responses. The tools cannon has been being fired at cybersecurity issues way too often where people forget you do need to maintain them and respond to alerts. A tool can sound the alarm, but if there’s nobody responding or no clear process to follow, that alarm is just noise.

Next time you want to press the “FIRE” button on the tools cannon, truly understand what is required to keep the thing running effectively and have a good view of the total cost of ownership, including the time required for people to maintain and monitor it.

6) Cybersecurity isn't just penetration testing

Look at the outcome of a penetration test, you get a list of vulnerabilities that were exploited. Next step is simple right? Fix the vulnerabilities! Easy peasy, lemon squeezy!

But with that simple approach, we’re missing the point: Why were those vulnerabilities there in the first place? What went wrong in the past, and what is the chance this will happen again after you’ve fixed the vulnerabilities?

Penetration testing is a sanity check to see if you’ve done everything right. You should be reasonably comfortable with a good outcome before you let those hoodied Mr. Robot Ethical Hackers loose on your stuff. If you don’t know what to expect, you’ve already failed. Let that cognitive dissonance sink in.

Penetration testing is only a small exercise in the holistic cybersecurity process. Resilient business and IT architecture, Governance, Risk, Compliance, Cyber hygiene, Asset management, Awareness, etc. play a huge role in keeping your cyber risk under control. The attitude of "need to keep the hackers out" only covers a small part.

Bottom line: Cybersecurity isn’t a single exercise like running a penetration test. Cybersecurity is a continuous process of improvement, awareness, and resilience to keep cyber risks to your business under control.

7) Compliance doesn't equal security

Checking all the boxes for that gold standard ISO27001, SOC2, and regulatory compliance etc? Nicely done! But it’s just a start.

Attackers don't care about you passing your audits; they care about your weak points. Compliance often gives a false sense of security.

Companies that know compliance is just a baseline ask the tough questions:

  • Are we securing our most critical assets, or just what’s mandated?
  • Are we monitoring the minimum to check the box, or are we getting meaningful observability?
  • Are we testing our incident response plan, or assuming compliance by having a checklist that will prevent attacks?

Don’t underestimate the relentless creativity adopted by modern attackers. Compliance is a baseline, a foundation. After you’re done checking boxes, focus on your security program to provide real protection.

Keep in mind: Compliance is about meeting standards; security is about managing risk.

8) Cyber insurance isn't a get-out-of-jail-free card

Repeat after me: Insurance. Won’t. Fix. Your. Reputation.

You have car insurance, so you don’t have to drive safely anymore? Didn’t think so.

I’ve never seen an insurance payout bring back your operations faster after an attack. Insurance also won't cover your reputational damage, loss of trust from your customers, or legal ramifications after being breached.

Cyber insurance isn’t a substitute for a strong cyber posture and security programme. They often mandate minimum best practices to be in place before they want to sign you up, and lately insurers have been raising the bar further with the huge increase in ransomware attacks.

Your customers won’t like to do business with you after you’ve leaked their data and caused them the pain associated with identity theft. Offering just a single year of free credit monitoring (covered by your insurance) won’t cut it either for them. Attackers know how to wait a year and then strike with that nice cache of personal data. See the fallout after the Medicare (AU) breach. 18 months after it occurred, (ex)customers started reporting instances of identity theft due to that breach. So, 18 months after the breach, you’re in the news again. Think about how that would affect your reputation.

Approach insurance as a last line of defence, not the first. It’s a backup plan, not a strategy.

9) Security teams are burning out

A CyberArk survey found 59% of cybersecurity professionals were burnt out. 65% of SOC professionals say stress has caused them to think about quitting. The average tenure of a CISO is 18-26 months, compared to 4.9 years for general C-suite. Teams are facing understaffing, low budgets, long hours, and lack of support.

This isn’t just a staffing issue; it’s a systemic challenge to stop this downward spiral. The problem compounds as this deters people from choosing to go into the field, worsening the skills shortage already faced by the sector.

The burnout crisis is a wake-up call that we need to start taking better care of those who protect our systems and data before they decide to protect themselves and walk away.

10) Legacy systems are your Achilles' heel

Prime targets for attackers: Those succulent, juicy, ripe old legacy systems, often not developed and deployed with security in mind.

Companies hesitate to replace legacy systems due to cost and complexity. But the true cost comes from a breach exploiting these weak systems. Dangerously shortsighted logic. By keeping the legacy systems alive, you add complexity with every feature added or code change, retaining vulnerable dependencies and components (looking at you old .Net and Java apps), essentially keeping the door wide open for an attacker to kick it in. And once an attacker finds that legacy crown jewel, it’s game over.

Aside from often being riddled with vulnerabilities, there are other non-security risks legacy systems introduce as they age gracefully (like milk, not wine):

  • Compliance and regulatory risks for example, through incompatibilities with GDPR and HIPAA.
  • Auditing difficulties: Legacy systems often lack proper logging and monitoring capabilities.
  • Skill shortages and knowledge gaps; how’s that 72-year-old Cobol dev doing? Without them on that retainer, there’s a whole lot of institutional knowledge out the door.
  • “End-of-life” is usually the most expensive support package for software, if that vendor still even exists. Otherwise, your support is much like Russian roulette. For hardware support, I hope your eBay luck is on your side.

The old monolithic architecture, which was very popular in the past, is now the main roadblock for digital transformation programs. It slows your business down to a crawl while making it more complex and harder to maintain, with added wrappers attempting to make legacy systems ‘futureproof.’

License fees… yes, you may still have to pay for the use of that legacy system, and these costs return annually.

These show the importance of reassessing legacy systems periodically. The longer you hold onto them the greater the potential impact on security, compliance, operations, and growth.

Don’t let your legacy system replace your peace of mind with a crisis. Invest today or risk paying a much higher price tomorrow.

11) (Bonus) Cybersecurity is a leadership challenge

This brings us back to the first one: Cybersecurity is a business risk.

Cyber threats are business risks, full stop. Many boards and CEOs see cybersecurity as a problem for IT to solve, but the responsibility sits at the top. Without proper leadership buy-in and support, cybersecurity teams cannot do their job effectively, putting the entire organisation at risk.

If leadership thinks they can delegate cybersecurity to IT and call it a day, they make a dangerous mistake. Security is People + Process + Technology, and that triad is everywhere in the business. IT only lives in the Technology part. Cybersecurity is not just a technology problem.

A breach or attack can disrupt your business, damage your reputation, damage the trust of your customers, and invite hefty regulatory penalties. When that happens, all eyes are on leadership, not the IT team, for your failure to make security a priority.

Treat cybersecurity as a business enabler, as one of the pillars and maxims underpinning the trust of your customers and your reputation. Engage security specialists at leadership level and at board level. Threats don’t wait for leadership to catch up.

It's time for deep reflection, and immediate action, especially for those companies not having a holistic view of their business and cybersecurity approach.

Ferdinand Hagethorn

Director - Security Services

Share these insights to strengthen cyber resilience

Use these uncomfortable truths to spark essential conversations with your teams about cybersecurity.

 

Download infographic

Get updates

Get the latest articles, reports, and job alerts.