Chapter 1 The One Patch Most Needed in Cybersecurity

There is nothing more deceptive than an obvious fact.

—Sherlock Holmes

The Bascombe Valley Mystery1

In the days after September 11, 2001, increased security meant overhauled screening at the airport, no-fly lists, air marshals, and attacking terrorist training camps. But just 12 years later, the FBI was emphasizing the emergence of a very different concern: the “cyber-based threat.” In 2013, FBI director James B. Comey, testifying before the Senate Committee on Homeland Security and Governmental Affairs, stated the following:

. . .we anticipate that in the future, resources devoted to cyber-based threats will equal or even eclipse the resources devoted to non-cyber based terrorist threats.

—FBI director James B. Comey, November 14, 20132

This is a shift in priorities we cannot overstate. How many organizations in 2001, preparing for what they perceived as the key threats at the time, would have even imagined that cyber threats would have not only equaled but exceeded more conventional terrorist threats? Yet as we write this book, it is accepted as our new “new normal.”

Admittedly, those outside of the world of cybersecurity may think the FBI is sowing seeds of Fear, Uncertainty, and Doubt (FUD) to some political end. But it would seem that there are plenty of sources of FUD, so why pick cyber threats in particular? Of course, to cybersecurity experts this is a non-epiphany. We are under attack and it will certainly get worse ...

Get How to Measure Anything in Cybersecurity Risk now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.