Chapter 1. Protecting Data and the Places Where Data Resides
The World Economic Forum estimated that by 2025, individuals and companies around the world will produce an estimated 463 exabytes of data each day.1 This ever-growing number includes every sort of data, a lot of which we use every day in emails, ecommerce, business activity, and the daily operations of the world we live in. Our economy and society have evolved to depend on data and to use it in every aspect of our daily lives—creating both tremendous opportunities and tremendous peril.
This reliance on data, and on the sciences that analyze and utilize it, has become integral to everything we do, making data one of the most valuable assets businesses must safeguard. Since data collected through activities involving business, industry, and consumers has become as valuable as it is plentiful, keeping it moving, resting, and interactive at scale is one of the world’s most significant technological challenges. To secure digitized environments and data, the domains of information security and cybersecurity have been rapidly evolving in lockstep, running a perpetual race against a growing list of criminal and nation-state-sponsored adversaries that aim to use the same data for their own nefarious purposes.
In response to this constantly evolving state of affairs, governments and organizations tirelessly develop new frameworks, regulations, advisory entities, and commercial solutions to protect data and to counter the many attacks that can compromise its desired state. Consequently, organizations around the world spent around USD $150 billion in 2021 on cybersecurity,2 and this expense is growing by 12.4% annually. Meanwhile, the global cybersecurity market is projected to continue to grow from USD $155.83 billion in 2022 to USD $376.32 billion by 2029, exhibiting a compound annual growth rate (CAGR) of 13.4%.3
These growth statistics are quite impressive. But the paradox is that even though organizations and their security teams are spending more money each year on cybersecurity, successful data breaches and other cyberattacks (and the resulting costly fallouts) also continue to increase and worsen over time.
More Security Is Not Always More Protection
The cost of cyberattacks to victim organizations has been rising over the years,4 largely due to the delayed ability of organizations to detect attacks quickly and contain them before they progress. On average, in 2022, organizations across the globe needed 277 days to identify and contain a data breach,5 highlighting a marked challenge in matching detection capabilities with the speed with which attackers move toward their objectives. One industry report released in 2023 found that the time it takes ransomware attackers to achieve their objectives has gone down 94% between 2019 and 2022.6 What used to take months now takes mere days, leaving security teams very little time to find out about attacks before it’s too late.
Simply spending more on security over the years definitely does not appear to be the answer. The world’s largest and most protected organizations, including those with hefty cybersecurity budgets and every cutting-edge technology, suffer major data breaches, often exposing the personal information of millions of individuals in one fell swoop.7
Looking at the numbers and statistics begs a simple yet loaded question: if we are not seeing marked improvement over time, are we, as a cybersecurity industry, doing something wrong? And if we are, how can we course-correct and start moving in the right direction?
Security: More Science, Less Art
Answering the question “Are we doing something wrong?” is not as straightforward as one would wish it to be. One of the main reasons is because the global security industry is still lacking on standardization, sharing a common framework for evidence-based planning, and the implementation of security controls. The industry is therefore challenged when it is called to evaluate, produce a common set of results, and rework or fine-tune controls in a way that’s proven across a large enough data set.
Security must be much more of a science than it is an art. If security teams do not work to standardize the way they operate and to measure what does and does not work, we will keep using the same mindset and actions to produce similar results. One way this impacts the overall security of any organization is that many are unaware of control effectivity to the point of not realizing when controls have failed and are creating exposures the business is not mitigating.
Silent Control Failures at the Root of Cyberattacks
The reality is that every type of security control employed on organizational infrastructures can, and does, fail either partially or completely. In a study that tested endpoint detection and response (EDR) controls against seven real-world, impactful attacker techniques, researchers discovered that controls only detected the malicious actions 39% of the time.8 The remaining 61% was a vast playing field for attackers to continue to drive their objectives across organizational networks. Unfortunately, many times, organizations are not aware of their control gaps for lengthy periods and might find out about them only in the throes of an actual cyberattack. In other cases, they have not implemented them, failing to address the realistic risk profile of their business activity.
Let’s examine one example that shows how adding a security control does not automatically translate into adding actual protection. If the control is present but its effectivity is not proven or measured, it can generate a false sense of security, all while it is failing to protect the network. Failed controls eventually lead to a detrimental compromise.
Consider three primary types of security controls that any organization or security professional would have to rely on:
-
Preventive controls
-
Detective controls
-
Corrective controls
Drilling down into each item on this list covers every type of mitigation measure we typically employ to help reduce the risk of a breach of digitized environments and data impact. Controls can exist on the physical plane, be technical, or be administrative (see Table 1-1).
Control type |
Preventive |
Detective |
Corrective |
|---|---|---|---|
Physical controls |
Door locks, fence, barbwire, access cards |
Surveillance cameras, alarms, motion detectors, biometric scanners |
Revoke access card, revoke access, use better locks, revoke biometric ID |
Technical controls |
Firewalls, intrusion prevention system, DNS-based enforcement |
Intrusion detection system, endpoint detection tools |
Adjust firewall rules, adjust DNS rules, patch or vulnerability management |
Administrative controls |
Password management policies, least privilege principles, termination policies for departing employees |
Review access rights, audit privileged accounts, audit password lifecycles |
Revoke and limit admin accounts on the network, force new password creation with new requirements |
Each control category provides an entry point to a plethora of solutions and tools. These are designed to help organizations grow their security posture and overall maturity in terms of their ability to protect networks, detect adverse activity, and recover from security incidents.
For example, patch management is a technical corrective control, part of fundamental cyber hygiene. It provides a protection layer in a world where the list of software vulnerabilities only keeps growing. To that effect, the vulnerability management market share is projected to reach USD $21.38 billion by 2028,9 driven by a galloping rate of new vulnerability disclosures annually, of which exploitation often results in costly breaches and attacks. For measure, the National Vulnerability Database (NVD) holds 8,051 vulnerabilities published in Q1 of 2022 alone. This is about a 25% increase from the same period in 2021.10
A failure of controls in patch management could mean putting off the patching or skipping it altogether due to an inadequate risk assessment of a vulnerability to one’s infrastructure, or the misclassification of the asset in terms of sensitivity/criticality. A more subtle failure can result from relying on a vendor or tool’s remediation prioritization paradigm. Different vulnerability management vendors and tools vary in how their automated scans and systems grade the priority to remediate. What can happen is that some of the more impactful vulnerabilities that are much more likely to be exploited specifically within the organization’s infrastructure can be deprioritized in favor of those with higher general risk scores.11
This can happen by not calculating the Temporal and Environmental Common Vulnerability Scoring System (CVSS) metric groups,12 and by missing the wider risk context that’s very specific to one’s actual digital environment. The better way to use this control would be within the context of a corresponding risk assessment that takes into consideration the elements of asset sensitivity/criticality, its exposures, the threat actors likely to target it, and the exploitability status of the applicable vulnerabilities.13 With new vulnerabilities and threat actor techniques evolving constantly, the process of vulnerability management is cyclical, so this risk assessment process must also be cyclical to keep on top of priority patching.
We Are Compliant, So Why Are We Not Secure?
Efforts to standardize security across sectorial and organizational risk profiles have led to the rise and enforcement of mandatory minimal security requirements. In some cases, regulatory bodies have developed and required compliance in the shape of laws to abide by. One such example is the General Data Protection Regulation (GDPR), which is an EU law for data protection and privacy. In the US, the Health Insurance Portability and Accountability Act (HIPAA) for health-care data is a federal law. Other compliance schemes can be voluntary, like the Payment Card Industry Data Security Standard (PCI-DSS) for protecting payment card data and the Systems and Organization Controls 2 (SOC2), for example.14 The latter is a voluntary information security compliance standard providing guidelines on how to securely manage customer data regardless of industry or sector. While compliance schemes do differ in many aspects—most notably, the legal obligation to remain compliant—incompliance carries far-reaching business and legal consequences.
Companies that do not abide by regulatory requirements can be audited, fined, investigated, and sued, and they can face dire long-term repercussions to their business. Those who do not adopt and prove compliance with voluntary standards stand to lose business revenue as most commercial contracts mitigate risk by demanding proof of compliance with relevant schemes according to the sector, region, and types of data involved in the business activity.
So does compliance guarantee security? Unfortunately, it does not. It checks off some minimal controls that cover people, processes, and technology. Though compliance and regulation go a long way in helping organizations have a basic security layer, this is not the same as an actual security program. Going back to understanding that control presence does not mean the control is effective, compliance schemes often require checking off the presence of a control, without further investigating its effectivity results or whether it is working at all. Let’s look at a very common example of how compliance does not translate into better security.
Compliant Passwords, Ineffective Preventive Control
From requiring a minimum password length to specific types of characters, security guidelines have been trying for decades to render passwords more effective against guessing and cracking. Alas, these guidelines have not had much success, as passwords remain an ineffective preventive control. The main reason for this is that humans continue to pick bad passwords,15 but another reason is a lack of testing how passwords perform. For example, before 2020, the American-based National Institute of Standards and Technology (NIST) issued password guidelines that recommended changing passwords frequently while also ensuring passwords are longer to make them harder to guess or crack. But while the policy was adhered to, the control’s effectivity was often left unexamined; meanwhile, its actual effectiveness was extremely low. As it turns out, to comply with the request, people opted to choose the minimum password length possible so that they could remember their frequently changed passwords. They also practiced riskier behaviors, such as writing passwords down in proximity to their workstations, and most admitted to reusing those passwords across different accounts. A BitWarden report notes that it took hackers less than one second to guess notoriously weak passwords.16 After examining the inefficacy of the original guidelines, the NIST changed its password security guidelines and no longer recommended prescheduled password changes. Instead, organizations were advised to screen passwords against a list of passwords that are known to be compromised and to change passwords accordingly.17
Can one now assume password security? Unfortunately, complying with this updated best practice is better, but it is still not a way to fully meet real-world password security needs. A more effective way to mitigate password risk is to view it within a wider access control context. For example, advise the use of password managers to create strong, unique passwords for each platform and website used. Roll out multifactor authentication to limit the ease of use of stolen passwords. Once that is done, password effectivity can be retested, and the results can be documented to justify the cost of the controls and their ability to mitigate risk.
We can learn from the password example that the mere compliance with official guidelines for passwords does not guarantee security. Adhering to standards and complying with regulations are extremely important steps in a global effort to standardize security, but these efforts are at a minimum baseline level. These one-size-fits-all requirements are not, on their own, a way to build security programs for specific security architectures, use cases, and implementations. To reach a better security posture and to mature organizational capabilities in this regard, one must continually run a risk assessment and mitigation loop that includes measurable control test results.
The Need to Justify Security Spend
The last five years have seen double-digit year-over-year growth in cybersecurity spending across the globe. Gartner notes that cybersecurity spending is on pace to surpass USD $260 billion by 2026.18 But while budgets keep growing, organizations don’t have much to show for it in terms of reducing the rate of successful attacks. It stands to reason that executives and boards have started to question costs allocated to security and to ask to see proof of the security program’s effectiveness. CEOs and CFOs are asking chief information security officers (CISOs) and chief information officers (CIOs) to justify the rising budgets associated with buying and implementing security controls, managed security services, and security training, to name a few. The obvious result is that budgets are going to be cut back, and at that point, only the controls that show the best return on investment and proven performance will be prioritized. Another very problematic result is that CISOs and senior security management themselves are seen as delivering suboptimal results, leading to blame and premature attrition that further increases business risk.
To start moving in the right direction, security must enable decision makers to prioritize investments by relying on repeatable testing, data insights, and measurable results to move forward. While an official framework has not yet been standardized for evidence-based security, the concept itself is not new. Metrics, testing, and fine-tuning are methods already used in other industries such as software engineering, as well as the automotive industry, the pharmaceutical sector, and even performance sports, to name a few.
As a case in point for cybersecurity, approaching standardization as much as possible would mean applying a threat-informed approach, relying on a common language of attacker TTPs, and creating metrics specific to security controls. Using common metrics can help test the controls, analyze results, and tune and test improvement over time. As needed, security teams can advise to modify controls, change them, replace them with architectural modifications, or remove them entirely if they continue to prove inefficient. This evolution, in turn, will directly affect the ability to justify spending on security controls, training, and new projects, and it will also demonstrate the success of security leadership to effectively reduce risks to the business.
1 “How Responsible Data Can Help Us Navigate the Economic Crisis”, World Economic Forum, January 17, 2023.
2 Bharath Aiyer et al., “New Survey Reveals $2 Trillion Market Opportunity for Cybersecurity Technology and Service Providers”, McKinsey & Company, October 27, 2022.
3 “Cyber Security Market Size, Share & COVID-19 Impact Analysis”, Fortune Business Insights, April 2023.
4 IBM Security, “Cost of a Data Breach: Report 2022”, 2022.
5 IBM Security, “Cost of a Data Breach: Report 2022”, 2022.
6 “IBM Security X-Force Threat Intelligence Index 2023”, IBM, accessed April 17, 2023.
7 Tara Siegel Bernard, Tiffany Hsu, Nicole Perlroth, and Ron Lieber, “Equifax Says Cyberattack May Have Affected 143 Million in the U.S.”, New York Times, September 7, 2017.
8 “Ending the Era of Security Control Failure”, AttackIQ, accessed April 17, 2023.
9 “Security and Vulnerability Management Market Projected to Reach USD 21.38 Billion by 2028—Exclusive Report by Brandessence Market Research”, Cision PR Newswire, July 7, 2022.
10 The NVD is the US government repository of standards-based vulnerability management data.
11 Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. See the National Vulnerability Database.
12 See the NVD Common Vulnerability Scoring System Calculator.
13 See the OWASP Vulnerability Management Guide.
14 Information on the PCI Security Standards Council can be found at https://oreil.ly/iP191.
15 Liam Tung, “We’re Still Making Terrible Choices with Passwords, Even Though We Know Better”, ZD Net, September 24, 2021.
16 Natasha Piñon, “Hackers Guessed the World’s Most Common Password in Under 1 Second—Make Sure Yours Isn’t on the List”, CNBC, November 23, 2022.
18 Matt Kapko, “Cybersecurity Spending on Pace to Surpass $260B by 2026”, Cybersecurity Dive, October 18, 2022.
Get Evidence-Based Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
