Presented by Kenna Security
If you are employed in cybersecurity, you’ve likely read an editorial telling you that the industry is broken. “Microsoft needs to get serious about cybersecurity,” the writer opines. “Apple needs to get its act together,” says another. “The real problem,” yet another voice says, “is that developers across the entire industry don’t pay attention to basic security protocols.”
A lot of what these writers say is true. But to write the 501st version of that opinion is to ignore the reasons why security challenges persist. There are very real constraints on many organizations’ ability to reduce the cyber risk that they or their products pose.
Those barriers to change are falling, thanks to data science and machine learning. These technologies are making it easier for organizations to understand, measure, and operationalize cybersecurity risk and are changing the way that cybersecurity teams interact with the rest of the organization.
In short, data science is transforming cybersecurity into a team sport.
Who “owns” security?
I’m going to get in the weeds here to talk about the way cybersecurity teams have existed within organizations. Their relationship to the rest of the organization has long been one of the barriers to change.
While cybersecurity teams have traditionally been given a wide degree of autonomy and responsibility, they usually lack authority to implement many of the changes they want.
At most organizations, security teams tested, bought, and managed the security technology used by the entire organization. But when breaches occurred, jobs were on the line within the security team.
The rest of the organization didn’t feel the same pressure.
A security team could spot a vulnerability and recommend a patch, but they weren’t responsible for implementing the patch. IT operations teams, for their part, could slow play a patch request, fearful that a new patch could knock other dependencies offline.
On the development side, coding teams with tight time-to-market deadlines might push back on a security team’s request to employ more secure code, fearful that it would slow it down.
If having responsibility and no authority sounds dysfunctional, consider one factor that compounds the difficulties. It’s has historically been extremely difficult to determine which vulnerabilities were actually dangerous, which allowed for debate that further slowed the implementation of patches.
Just how important is this patch?
Cybersecurity teams lose internal battles too often. That’s a function of their relative isolation within the organization.
Data can help them turn the tide.
For far too long, companies had no real way of calculating the risk presented by a threat or vulnerability. Where intuition reigned, debates ensued. For every critical patch on a server that hasn’t been updated in four years, there is, arguably, something easier to patch that is, arguably, just as dangerous.
Nowhere has this been more apparent than in the vulnerability management space. The typical enterprise controls 60,000 assets, which are home to an average of 24 million vulnerabilities. IT teams have the capacity, on average, to patch just one in ten of those vulnerabilities. The good news is that not all vulnerabilities are equally risky.
That math puts tremendous pressure on cybersecurity executives and IT teams to identify the vulnerabilities that pose the biggest risk to the organization.
Because hackers tend to follow well-worn paths, it’s possible to analyze years of already existing threat data to predict which vulnerabilities are most likely to be weaponized. Prioritizing the risks at this scale is only possible with machine learning and data science.
Which brings us back to the point of cybersecurity becoming a team sport. When the debates end, organizations are empowered to hold each other accountable, across the organization, to improve security while meeting the rest of the organization’s goals.
Breaking down barriers
It stands to reason that if your organization cannot establish a clear process for identifying its biggest risks, calls to “get its act together” are just useless. The status quo exists for a reason. In vulnerability management, lack of authoritative decision support is a constraint that prevents organizations from adopting holistic security practices, but similar examples can be found across cybersecurity sub-disciplines.
Technology can help align people and processes to organization goals.
I say this without irony: The industry has to acknowledge that if we are to make progress in security, everybody has to take this seriously.
But nobody can take it seriously until internal barriers are knocked down.
Karim Toubba is CEO at Kenna Security.
Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact firstname.lastname@example.org.