Report Reveals Security Professionals Software Failures
Mandiant (Fireeye) recently released its report “Deep Dive into Cyber Reality – Security Effectiveness Report 2020”. The report details the effectiveness of security controls systems Mandiant clients utilize within their environments. Mandiant claims to have executed “thousands of tests” that simulate real attacks.
The authors of the report make a very important point that protecting an organization's computer and information systems is not entirely an IT problem. It is a business problem. Even more, it is an entire organization problem. Every single stakeholder that has access to the system has some responsibility to secure it. This is particularly true of the business executives who need to be more involved in security decisions. If the board does not have a CISO, it should. And that person needs to be viewed as an equal partner in the C-suite.
Of all the information provided by the report, the following stood out the most:
Under testing against infiltration and ransom attacks, reporting organizations found their controls did not prevent or detect detonation within their environments 68% of the time
My most immediate thought is these organizations are paying a crazy amount of money for infrastructure and software solutions that only work 32% of the time. There probably needs to be some serious cost to benefit analysis done!
All the while security professionals continue with the “Users are the weakest link” mantra. Oh really? It looks like digital technology and software may be the weakest link. Of course, it must be considered that maybe it is the combination of technology and user, but a 68% failure rate can’t be all user error.
Security professionals assume that technology is flawless. I mean, the tools caught all of the attacks in the lab, right? It must be the users.
My previous discussion of the user is the weakest link fallacy seems to gain more validation. Security professionals should look in the mirror before they start laying blame.
Security teams need to seriously evaluate were the true weaknesses are in their network defenses. What company hires an employee that only works 32% of the time? Or invests in a piece of robotic equipment that is out of service 2/3rds of the time? Certainly not one that is properly managed. Why are we spending hundreds-of-thousands of dollars on software solutions that only work 1/3 of the time?
Of course, if you hit a baseball in 32% of your career at-bats you’ll end up in the hall of fame.