United We Stand, Divided We Fall

Tonight’s one of those nights where I’m burning the candle at both ends but before I sign off and hit the hay, I’ve had the thought “who will get breached tonight?”.

Let’s be honest, there’s always somebody and when it’s a high-profile case the jungle drums start beating and platforms such as LinkedIn are awash with sneers and jibes and industry vendors start dreaming up rumours about why these organisations were breached (it usually has something to do with them not using that particular vendors tech).

Now, I’m probably being a little cynical because it’s late and I’m perennially tired but it’s often as if the security community love scoring points when there’s a data breach. Further, it’s almost a double joy for “vendors” because they get to whip up tales creating further fear, uncertainty and doubt. There is certainly an air of schadenfreude amongst the “community”.

Personally, I feel that we need to be a little bit more responsible about how we look at these things and not tittle-tattle. Instead we should recognise that breaches can happen to any organisation, they’ve even happened to some of the large, well-known security vendors.

Let’s remind ourselves of a few little truisms following a breach:

  • If you don’t work there, you don’t actually know what happened.
  • Unless the breached have released a detailed statement, you don’t know actually know what happened.
  • Unless you’re the attacker yourself, you don’t actually know what happened.

Let’s give our clients and potential clients some respect.  They know that somebody, somewhere is under scrutiny and probably have a good idea of how that would feel if the boot was on the other foot. They probably know that there are vulnerabilities on their own network and they are probably struggling to gain support internally and as such, they’re doing the best they can with limited time and resources. I speak with many security teams.  I never see one over-resourced.

Let’s also be honest, there isn’t a silver bullet that can fix the problem. It’s always about mitigating the risk and making best efforts. We do this by ensuring that that the correct people are in-situ and are carrying out the correct processes. Once these are in place, the correct technology can assist.

Allow me to reiterate:

  • There is no silver bullet.
  • Teams are under-funded and over stretched.
  • It could happen to you.

With that in mind, why are we sneering?  Let’s not forget, a security team has to be on their game 24/7 whereas an attacker only needs to get it right once!  Shouldn’t we be a little more supportive and understanding rather than putting the fear of God into people?

That said, if you have had the fear put into you and you would like to talk about how you can review your strategy without the unlimited budget and resource, feel free to give me or the team a call on 020 3855 0895.