The business of cybersecurity
I recently started my MBA program and while I try to have a very open mind to learn as much as possible, I could not help but view everything from the lens of my past experiences. I love everything cyber and very passionate about it having spent the last 9 years doing everything from penetration testing, developing cyber security strategies, performing digital forensic investigations, Implementing/optimizing security solutions and developing a managed security services, so please pardon me if all I see is cyber everywhere.
One of the classes I took was on managerial economics, learning how to understand markets, different types of markets, demand and supply, causes of market failure, game theory etc. Oh my, they were all applicable to cyber and it allowed me think through things I have always looked at from a technical point of view. I even thought of coining a new research area called, “cyber economics” and after googling and seeing the several results, you can imagine how I felt. Apparently, it’s something that has been discussed for over a decade. However, I still enjoyed the class and decided to write about my experience.
One of the questions that I pondered about was “why can’t every developer or company just develop applications or products that are secure right out of the box”. The answers in the tech world has always been: oh, security is always an afterthought. From personal experience, I have always opined that majority of developers don’t build defensively especially when there are no second level security checks on products. Most developers are focused on getting the product operational (well, this is also partly because of the pressure from the business to be the first to market). I remember reviewing a web-based product before it went live which had some input injection flaws. I provided the script I ran and the screenshot of the output to the developer. To my greatest surprise, the developer only modified the application source code to filter out parameters in the script I provided instead of thinking through a more robust solution that would fix the vulnerability long term. I have had several similar experiences in the past where I had to review the code with the developer line by line and in some cases I had to help write the code that would fix the issue.
The truth is, there are no incentives for developers to create secure products since they could get away with weakly security coupled products. How many people have stopped using a product because it was vulnerable, especially if the product has a monopolistic market power with limited competition. Also, if there are bugs in the product they usually don’t suffer the harm, something some people call “no skin in the game” or as we would refer to it there are negative externalities. When a person suffers a cyber-attack and loses money or a company and her stock price crashes, no one ever blames the developer of the technology infrastructure.
All hope is not lost (or maybe it is me just thinking so). As organizations continue to move infrastructure to the cloud, they transfer some of their risks. We are beginning to see some of these cloud providers developer solutions to ensure that customers are empowered to verify the security posture of their services using provable security .
How best to respond during an incident?
Cyber incident response is an interesting area to explore especially now as the US government is changing its cyber security strategy approach from focusing on strengthening defensive mechanisms and minimizing the impact of security breaches to offensive cyber operations. This is said to be achieved through preemptive cyberattacks to make other nations fear the US’ retaliatory powers. See this article for more details. The effort in exploring an outcome of a situation in which two or more competing parties look for the course of action that best benefits them can be analyzed using game theory.
Game Theory is the study of games. Games as in Chess and not Solitaire because Solitaire is more like a puzzle; your actions don’t affect any other players decision (apart from ranking) unlike chess where there is more than one player and every move a player makes depends on the move the other player makes. A classic example of game theory is the Prisoner’s Dilemma where two people are arrested for stealing. The prisoners are told the following:
· if they both confess to the robberies, they’ll each serve three years for the robberies
· if only one confesses to the robbery and the other does not, the one who confesses will be rewarded with a one year sentence while the other will be punished with a ten year sentence.
Before I bore you with details of game theory I am sure you get the picture, so how does this relate to cyber security. In the event of a cyber incident, there are two major players; the victim and the attacker. The actions of the victim whether to disclose information about the attack or respond to the attacker would be largely dependent on what was compromised or who the attacker is (if the attacker can be successfully identified) and if it’s even an option to retaliate.
While the answer is not always the same in every scenario, game theory allows one to model the different possible outcomes with corresponding payoffs. It then becomes easy to decide the best course of action. There are several publications that discuss game theory and cybersecurity. Just Google it!
Another interesting question was how would organizations get to decide what security solutions would be effective in the long run? For any technology to deliver efficiently and provide desired return on investment, we talk about three main things that must be in place: people, process and technology. I believe we must have all read or heard about the serious shortage of cybersecurity talent, meaning more demand than supply. In the area of effective processes, there are several standards or policies in place covering different aspects, majority costing organizations more money than they would had loved to invest but that is not where I am going. It’s the technology space, where there is more supply (vendors) than demand. It is believed that the average large enterprise has over 50 security vendors extending to over 100 in some cases and might continue to increase as different vendors come up with niche products. The effectiveness of each of the security solutions is a subject matter for another time.
Since cybersecurity is a very hot space now, everyone wants to cash in on the action. And just like every market that is profitable, more organizations or investors move in to the industry to earn economic profit and when it becomes saturated, the inefficient organizations are forced to exit the market. In the long run ( I use this term but can’t estimate how far ahead is the long run), it is then safe to assume that the more efficient companies would buy up / acquire the inefficient ones (well at another time, I hope to write about how many startups actually start off with the intention of being sold off whenever their valuation is high enough ), so expect for more activities in the M&A cybersecurity sector, you can follow Momemtum Cyber if you are interested in this space.
It is my hope that this post has not been a waste of your time and has given you some insights or sparked your curiosity about how to think about cyber challenges from a non-technical perspective. I hope each reader could leverage this when engaging with stakeholders to focus not just on the technical issues but the actual underlying business issues ultimately making you and your company more productive as you make investments in cybersecurity, saving everyone more time and money.