Fifty years ago, the surprisingly political Smothers Brothers convinced CBS to let Pete Seeger perform on their show his anti-war protest song, Waist Deep in the Big Muddy. The famous song’s perfect title reflects its basic Vietnam-era premise – namely, that our country was stuck in a terrible situation with no obvious solution. And like the sad hero of the song, once you get stuck deep enough in the mud, there might be no escape.
I was recently asked by a reporter about our global cyber security posture – and the lyrics of that song popped into my head. We seem painfully stuck in place when it comes to cyber security. Nation states keep attacking each other; enterprise teams cling to their dumb LAN architectures; vendors swear that artificial life can stop hacks. And on and on. The lyrics fit: Every time I read the papers; that old feeling comes on; we’re waist deep in the Big Muddy.
And yet – this discipline of cyber security to which I’ve devoted my entire life, has shown some recent flickers of life. Each day, just when I’ve had it up-to-here with another bad security pitch, some inventive technologist will present a new security method that truly inspires. And just when I’ve had my fill of bad presentations, someone will turn off the PowerPoint, and deliver an inspiring pitch on some aspect of our work. These moments give me hope.
So, rather than lament the coming year with a bunch of dark predictions, I figured I’d shake things up a bit: My influence has now grown sufficiently that I thought I’d list out my five hopes for cyber security in the coming year. Presumably, by describing this future vision, I might exert some influence. Even if this turns out to be just false hope from a cyber narcissist, it sure feels better to be glass-is-half-full from time to time. Here are my five hopes for 2019:
Hope #1: That CISOs begin to act like executives. As an executive coach, I have a front row seat to the day-to-day habits of the modern CISO. And I’ve watched my incredibly talented clients rely on the personal tools that earned them the position: Technical expertise, external charisma, deep confidence, task orientation, and so on. But what I’ve observed is that these seemingly positive attributes are often too focused on the “I” and not enough on the “we.”
In a seminal HBR article, the great Peter Drucker introduced a set of practices that made for effective executives. Every one of these practices focused on working together, communicating with others, and focusing on what needs to be done as a group. These are selfless practices – ones that advance the needs of the organization, even if it means sacrificing the best interests of the individual. Sadly, this is not common practice for the modern CISO. Let me explain:
Today’s CISOs are experts. They are hired guns who are considered by senior management to be unsuited for any position other than cyber security. And why is that? Well, it’s because CISOs harbor that impression. They refuse assignment outside their comfort zones, and they abhor the idea of stepping into any adjacent role that might negatively affect their security edge. I know of no CISO who has ever agreed to a non-technical position to advance their career.
It is my sincere hope that in 2019, we begin to see some pioneering CISOs step away from their technical roots into corporate positions that provide a more rounded view of the organization. Perhaps we might see a CISO move to the sales organization, or to finance, or manufacturing, and so on. Such Theory Z movement is not the sole requirement for executive success, but it currently stands as a major barrier to growth for the modern CISO. I hope it changes in 2019.
Hope #2: That the US Federal Government hires a cyber security expert. In the last few weeks, I’ve had the pleasure to run into some wonderful cyber security experts who know their way around River City. I interviewed Richard Clarke at a conference; I ran into Rob Joyce at a luncheon; I bumped into Greg Touhill at a symposium; and on and on. Sadly, the one thing that each of these fine technologists had in common is that they are all formercivil servants.
Now, I have no idea why the White House fired every member of their team with cyber security expertise. And I reject the notion that the current DHS Secretary is a cyber security expert. Say what you will about Ms. Nielsen, but in forty years of security work in and around the beltway, I’d never once heard her name in the context of cyber security. Never. So, she might be a wonderful expert in a thousand-and-one things. But cyber is not one of them.
This is a problem because real security expertise is necessary to guide decision processes toward proper conclusions about offensive and defensive tactics and strategy. Without the instincts of the experienced security professional, our nation’s leaders can be easily swayed, tricked, or misled down paths that might make no sense. This is especially easy for government leaders who developed their instincts pre-cyber (perhaps even pre-computer).
It is my sincere hope that in 2019, we begin to see some recognized, experienced professionals emerge in our Federal Government with the instincts, credentials, and expertise required to keep our nation safe. And this is not just for cyber security threats, but also for the emerging information manipulation campaigns growing on social media and other on-line forums. Let’s hope we see national leaders begin to show up this year who can address these challenges.
Hope #3: That virtual marketplaces emerge for enterprise cyber security. For the past three decades, enterprise security teams have been forced to buy hardware and software for protection using familiar procurement processes. That is, they select a vendor, fill out purchase orders, schedule delivery, supervise installation, test integration, and then complete the on-boarding. These tedious procurement steps might take weeks or even months.
This might not seem like a huge problem until you realize that this is how an organization defends itself. If a company is under attack, for example, and wants to obtain and install a new firewall or other security function, then the steps just outlined must be traversed. By the time a new security tool is put in place, however, the corresponding attack might have long since completed. This is not how active, agile defenses are designed.
Virtualization provides an effective means for streamlining this procurement ordeal. That is, if an underlying operating environment supports on-demand integration of software appliances, then it is entirely feasible that an enterprise security team might provision new protections in real-time. An attack might be observed, for instance, and a new protection immediately launched to deal with – or perhaps even prevent – the attack.
It is my sincere hope that in 2019, we begin to see the availability of marketplaces where virtual security can be deployed in real-time. One might imagine selecting a vendor solution on a portal, proceeding to checkout, and then watching as the new tool is installed dynamically and immediately into the operating environment. This capability would dramatically change the equation for cyber defense, and would represent an amazing advance in 2019.
Hope #4: That enterprise teams stop using pay-for-play quadrants. The selection of proper cyber security products and services from appropriate vendors is one of the most challenging activities for the modern enterprise protection team. At TAG Cyber, we count roughly 1500 or so active cyber security vendors peddling commercial solutions that range from truly amazing to incredibly terrible. And it’s not always easy to separate the wheat from the chaff.
Companies like Gartner and Forrester do us a grave disservice by implying in their reviews of vendor offerings that one solution is better than another. The reason this comparison is bad is because vendors pay for such treatment. The equation is clear: Spend more money and see better results. Spend less money and you’re out of luck. It’s their business model and it creates unfair advantages for companies that are willing to pay.
A better solution involves an honest attempt at unbiased comparison. At TAG Cyber, we try to sift through hundreds of companies to find those we believe are truly impressive. Yes, we do monetize our work through research and sponsorships, but we never, ever claim than one solution is better than another because we received payment. And as an enterprise professional, you should expect nothing less.
It is my sincere hope that in 2019, we begin to see rebellion against magic quadrants, waves, and the like. I am 100% in favor of sponsored research, and Gartner has a right to make money. But the visual implication that Vendor X in the top right of their grid is better than Vendor Y in the lower left is something that we must firmly reject. Only then can we begin to explore the best vendor options in an unbiased context.
Hope #5: That enterprise teams embrace zero trust networks. The idea that firewall perimeters no longer work is basically unchallenged. But like the person who buys books on preventing heart disease while puffing on a cigarette, the modern CISO talks a good de-perimeterization talk, but rarely backs up such bluster with action. Virtually every large and medium-sized organization I know maintains a porous DMZ. (Google is a prominent exception.)
The bottom line is that with the explosion of third-parties, and insiders, and telework, and websites, and email, and remote access, and outsourcing, and on and on – the idea that you can contain corporate or government assets inside a DMZ is patently ridiculous. This is often missed by our government officials in agencies like DHS, as they continue to push perimeter solutions such as EINSTEIN (see hope # 2 above).
The best solution I’ve seen involves the use of device-to-cloud networking in the context of the Forrester-dubbed Zero Trust Networking method. This presumes that end-to-end security is established to protect data and workloads from devices across networks that do not include a DMZ-like boundary. Instead, the protections are shrink-wrapped to the access session and are the same across a variety of underlying transport media.
It is my sincere hope that in 2019, we begin to see more enterprise teams adopt this Zero Trust approach, exemplified by Google’s BeyondCorp, and consistent with software-defined networking solutions in use by transport carriers and data center managers. With this shift away from the perimeter, 2019 might be the year – finally – where enterprise teams begin to make meaningful progress freeing our community from that stubborn Big Muddy.