Post

I worry about the hype

Posted
By Ryan Aspden 4 min read

I worry about the level of hype in the cybersecurity ecosystem and the outcomes it may be driving for organisations.

Overview of NZ Ripple Control System Don’t let hype set your strategy

Occasionally I will be party to a conversation – usually at a convention or industry workshop – that makes me sit back and think; is this the direction we’re heading? Does my organisation, let alone the industry genuinely need a “software-accelerating sensor collection and real-time analytics platform for hyper-scale growth and insight, enabling faster processing at the edge, providing commercial grade infrastructure manageability, and facilitating quicker and more intuitive searches resulting in to-the-second decision-making abilities”? It certainly sounds great and the allure is strong because who doesn’t want that kind of capability, but is it addressing my organisation’s biggest threat right now, or is it playing to the human desire for new, shiny things (with an element of FOMO mixed in)?

Don’t get me wrong – the threats are real and they’re increasing each day, but I worry that smooth sales tactics, an undercurrent of FUD, and a semi-fractured industry are blinding organisations from the work that drives genuine risk reduction.

When the cyber security industry first began to tackle the rising threat of cybercrime, it took the concept of cyber security and divided it into manageable steps, developed standards to describe those steps, and then made them available to the world. But even this has presented a challenge as we didn’t just land upon just one standard, we landed on a range of different standards… NIST CSF, SOC, ISO 27001, PCI DSS to name a handful. There have even been attempts at homegrown frameworks such as the Essential Eight, AESCSF, and the NZ VCSS-CSO.

Each framework is an incredibly useful publication with admirable intentions, but this fracturing of the ecosystem causes confusion and in some cases, dilutes efforts. I’ve seen what happens when organisations attempt to align themselves with multiple standards (surely more is better right?) - more often than not they end up kicking the tyres, doing little bits here and there, but doing none of them well. Even worse, I’ve seen numerous organisations attempt to align with multiple frameworks in parallel, not as a means to improve their posture, but as a means to compare themselves amongst their peers. This is great if it drives improvement, but more often than not it’s a process that consumes significant time and effort and winds up driving despair and discouragement.

Effective Information Security starts with understanding your business.

Effective cyber security – indeed an effective business – relies on three components; people, process and technology, and indeed, each of these components will present challenges; rapid technological change, hype cycles, skills shortages, and a reluctance by some to adopt new ways of working.

However, when faced with a proliferation of solutions and limited skills, budgets, and time, take a step back and ask yourself, what is your business trying to protect (it’s usually the same thing that makes you money), and what’s one way that can help you to go about protecting it – progress is better than perfection, as perfection will usually come with time and exposure.

Yes, take stock of what your colleagues in adjacent industries are doing, but don’t get hung up on what they’re doing, how they are doing it, and how mature they may be – their businesses will be different to yours, always!

Pick a framework that aligns with your business and what you’re trying to achieve, take the time to assess where you are at in terms of your maturity against that framework, and then build a sensible strategy to work towards bolstering those elements that are meaningful for your organisation. If your focus for the next 3 months is on building a cyber-aware culture and being able to identify vulnerabilities within your software ecosystem, then don’t get too hung up by news stories and vendors trying to lead you down the path of protecting against some esoteric threat that’s not likely to have a material impact on your business – you only have a finite amount of time and resource.

Understand, then act.

There is a lot of hype out there – as I write this we’re on the incline towards peak AI hype – and whilst it is important to keep one eye on the horizon as the landscape changes, your other eye (and your hands) should be firmly planted on those things that move you forward now.

The first and most critical step to maintaining security without needlessly increasing costs and complexity is to thoroughly understand the context in which your business operates. From there, you can develop and execute a well-thought-out strategy, one that you can point to when faced with all the hype and say “No, not right now. Right now I need to focus on X, Y, and Z because they reduce the most risk given my organisation’s context”.

Cybersecurity, The Hype
cybersecurity risk management
This post is licensed under CC BY 4.0 by the author.