Who watches the watchers?

Security, in general, cybersecurity in specific, requires someone to watch the watchers.

Protecting assets, human, physical, digital, all required a strategy beyond tools or point solutions. Having spent the last ten plus years building behavior analysis tools with machine learning and artificial intelligence, I have learned one ground truth. In such a rush to checkboxes, we vest our intelligence in tools vs. process that becomes technical debt and weak links.

There is no KILLCHAIN if one link is compromised!

CISO and C level players must understand that behavioral science is trying to validate who or what something is. While today’s AI and ML systems can use probability to estimate future states, it can’t predict anything. Any attempt to do this is computationally tricky and exponentially more expensive as you closer to event horizons.

Point solutions and security software make promises it can’t keep. NO vendor can avoid being a vector, as we have seen with SolarWinds, FireEye, Microsoft, etc. So why trust them so explicitly?

Fixing our industrial problems while increasing our security is simple. Checks and balances. While tools will do, nothing beats an old fashion process. A process empowered by clear asset definitions and logical tool deployments. Critically, tools and strategies that watch the watchers. Human or AI.

I have created many anomaly and risk scoring tools that have discovered extraordinary weaknesses and breaches in commercial software. I have been shocked at how little interest the market has to use them. Usually, this boils down to a simple philosophy.

If I don’t know, I can’t be blamed or forced to address it. I have spent millions on these packages and can’t spend more on hardening them. Really?!

Umbrella and set and forget security strategies are dead. There are no motes, walls, tunnels, or vendors who can be trusted. C-Level executives have to trust the security professionals and their dark arts to bring light and safety to business. CISO and other security people have to act as if everyone and everything is a vector and stop checking boxes.

It’s an active and engaging discipline that requires your A-game every game. From basic HID systems to quantum AI, you need to specify the field of battle, define critical assets, players, and tools. Build a budget of “+X” percent to validate everything you control from firmware to Cloud. Be prepared to shift everything on a dime. Zero-Trust is not just a method; it’s a way of life. Trust but verify EVERYTHING, especially your security vendors, as the worst vector.

We don’t need more tools to solve what is a business and management problem. Build your systems to check everything you deploy. Deploy and re-deploy security strategies. Security must be simple to consume and use, or it’s a failure by design. This requirement shifts all the complexity to the security apparatus in your company. Make it simple, engaging, and dynamic. Protect the assets you must and reduce the risk of being front-page news.

Spread the word. Share this post!

About the author

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: