The problem is, Cybersecurity seems easy to those of us in the Security field (just like the above game) but yet the strategy is hard when we try to explain to an Executive immersed in their regular world. Cyberstrategy is also not so cut and dried.
The hackers are attacking old vulnerabilities because people are not patching their computers.
Yet, even if a user patches a computer and they click on a phishing email the computer is still hacked.
So what happens when a password is guessed or stolen from a breached website, where the user entered the password and was reused? Now the hacker can access the network with your credentials.
If the hacker can access your network logon with your credentials that’s like winning every time at rock paper scissors, since you can see the response before you place your hand gesture.
Then on top of all that – what about Zero-day attacks? or Forever day attacks – where the hacker can hack forever on a particular platform until the problem is solved (assuming it can be).
No wonder a lot of people are tuning us security folks out for the most part:
The Cisco VP and Chief architect Martin Roesch: http://www.rsaconference.com/media/advanced-strategies-for-defending-against-a-new-breed-of-attacks
From the image:
Even the basics are not covered
Less than half of security practitioners leverage critical security tools
Security Administration and provisioning 43%
patching and configuration 38%
Quarantine malicious apps 55%
Secops is not just selling new devices from Cisco, it is just doing the basics, doing the patching, creating good password training, training for security is a difficulty of attention and focus.
Everyone wants to do their regular projects not security projects. People do not want to remember difficult passwords, or change passwords every 60 days.
Us in security have to be cognizant of the “regular” world.
We have to do the basics, because although we won’t be 100% secure (which can’t be done) we can make things better and much harder for the hacker – which is what a good cybersecurity program should do.
The key of course is to have the personnel which has the ability to make the decisions even when everything is going on – focus and commitment. communicating this is just as important as well.