I recently published a blog on the increasing cybersecurity attack surface as enterprise organization embrace new IT initiatives like cloud computing, mobile application deployment, and the Internet of Things (IoT).
The combination of IT complexity, the growing attack surface, and a progressively more dangerous threat landscape is making cybersecurity more difficult. And it’s not one particular area of cybersecurity that’s becoming more difficult, it’s the whole kit and caboodle. For example, according to ESG research (note: I am an ESG employee):
- 79% of information security professionals working at enterprise organizations (i.e. over 1,000 employees) believe that network security (i.e. network security knowledge, skills, management, operations, etc.) has become more difficult over the past two years.
- 80% of information security professionals working at enterprise organizations (i.e. over 1,000 employees) believe that endpoint security has become more difficult over the past two years.
- 60% of information security professionals working at critical infrastructure organizations (i.e. as designated by the US Dept. of Homeland Security) believe that cyber supply chain security has become more difficult over the past two years.
These are a few research points but it’s likely that other areas like application security, data security, security analytics, etc. are also growing more cumbersome year-by-year.
Aside from the obvious, this data has an ominous repercussion around the balance of cyber-power – as enterprise cybersecurity defenses grow more difficult, cyber-attack offense can become correspondingly easier. I call this relationship the cybersecurity proportional law or Oltsik’s law for short (author’s note: I’ve always wanted my own law a la Moore’s law, Metcalf’s law, etc.).
Think about this relationship and you’ll understand the logic. As cybersecurity practices grow increasingly difficult, hackers can take further advantage of:
- The growing attack surface. Whether its thumb drives, mobile devices, social networking sites, or IoT it doesn’t matter. If you open up a new threat vector, cyber-adversaries will find a way to exploit it.
- Immature technologies. Sand Hill road mucky-mucks looking for the next Facebook want millennial eyeballs, not gates and locks. This is pretty much a universal phenomenon -- new technologies are driven by feature/functionality while strong security is usually way down the to-do list for technology entrepreneurs.
- Overworked security staff. According to ESG research, roughly 40% of enterprise organizations claim that their security staff is so busy dealing with emergency response that they have little time for cybersecurity training, planning, or strategy. Heroic effort? Yes. Scalable to meet burgeoning security requirements? Absolutely not.
Clearly cyber-adversaries have a distinct advantage. While they have the luxury of focusing on persistent offensive attacks, enterprise cybersecurity professionals are called upon to defend the castle, support the business, mitigate risks to new IT technologies, and work with other IT and non-IT groups to coordinate cybersecurity actions. Given these vastly divergent job descriptions, cybersecurity offense gains a bigger advantage each day.