Cybersecurity is dead.
Back when this profession of ours was trying to find its place in the world, some smart people who thought the state of computing was shit got together and started to make some noise. The L0pht fellas testified in front of the US Congress, the cDc folks released tools that not only mocked Microsoft but pretty much made the company do something to at least save face, and hacker conferences were all the rage. Those were the days of smashing stacks for fun and profit, and the days some people realized that powerful technology companies were putting us all at risk for profit and no fun.
Some of those folks went on to start their own cybersecurity companies, some went on to work for governments, or work for the very companies they were ridiculing not too long ago. Some have tried to keep the flame alive and bring back that vibe. And, somewhere along the way, shit got weird.
Everyone and their mothers saw this new field and thought they would be able to capitalize on it. And they were right. Information Security companies started popping up left and right, cybersecurity certifications of dubious value proliferated, bootcamps that promised to get you ready to land that 6-figure job in a matter of weeks became very popular, and "professional associations" started to gain some momentum. Very rightly, might I add. The field was blooming, and there was a lot of money to be made. And you know what they say: "When everyone's digging for gold, sell shovels."
The cybersecurity (née information security) professionals were on the top of the world! In such high demand that you couldn't even go on LinkedIn without preparing for the barrage of recruiters' messages you would surely have to face. Business was good! And then I think we all got cocky.
A lot of us started operating under the assumption that everyone and everything was some sort of existential threat, that garden-variety vulnerabilities were a cataclysm, and that people who didn't know any better should stop whatever they were doing immediately and heed our warnings. Developers. IT. HR. Accounting. Legal. They are all a bunch of dummies who were putting the organization at extreme risk just by virtue of going about their business. Every single countermeasure was thrown at them, proportional or not. End point protection that wouldn't let them write some VB. Email gateways that would quarantine invoices that would come due without ever reaching the right inbox. Password policies that inevitably made people write down and reuse passwords. Blocked USB ports that would make people email things to/from their personal emails just to open a document that would be blocked by the aforementioned email gateway. We added so many roadblocks that, quite predictably, everyone started avoiding us. And bypassing us. And ignoring us. But we had an ace up our sleeves: just you wait until something bad happens and you'll see!
And then... some bad things happened and it wasn't the apocalypse? All the vulnerabilities with fancy names and custom t-shirts and DEF CON talks mainly got fixed without much ado. Bugs in widely used libraries were announced as ticking time bombs just to become not that big of a deal, really. All those things were chipping away at our credibility. We were so self-absorbed and self-important that we didn't even see things changing right before our very eyes. CISOs went to board rooms and started talking about cloud security this, AI that, SBOM this, Kubernetes that, and companies were like: "Bro. Nothing happens when we give you money, and slightly more happens when we don't. So we won't."
Reality eventually catches up, and the reality right now is this: nothing really bad happens when companies fuck up. They might be slightly inconvenienced, maybe have to pay a fine, or spend a couple million to give people some bullshit identity monitoring. But it's almost never some apocalyptic event. And when it kinda is, it's almost never some high-tech, AI-enabled, need-to-string-together-7-exploits-and-get-the-timing-just-right-down-to-the-millisecond Mr. Hackerman state-sponsored ninja shit. It's fucking ransomware and credential stuffing. Go look. The basics are never sexy, though. And CISOs need to go look for the new shiny thing they can use to scare the board into giving them more money to throw on things that are not a threat. And, if there's anything we've learned in the past 8 years or so is that "reputational damage" is wildly overrated. It's really hard to play that card when you don't have alternatives. What are we going to do? Leave? Where to? In the grand scheme of things, do we even care about some data leak? It happens so often that we're desensitized. Shifting baselines and all that.
So, what do we do? I'd argue that we need to start being a little more honest with ourselves and accept the fact that the world doesn't revolve around us. Most of us are not in a spy novel. Most of us do not work for companies that should worry about nation-state APTs. Most of us don't even work for companies that would qualify as the already very generous term "critical infrastructure." We need to settle the fuck down and think about our role in all this, and start offering actual, actionable solutions to threats and vulnerabilities that don't involve the ability to manipulate quantum fields. Academic research is all nice and good, but spend a couple of minutes deciding if that research you saw presented at DEF CON really impacts your employer.
We suck at measuring risks, and the world knows that now. Our credibility is in tatters, and it's going to take some work to get it fixed. We can do it, though. We're smart. But the current model is dead, and everyone you know who's looking for a cybersecurity job knows it, too. And, hey! You can always hire me.
- Previous: You're not five
- Next: La vie en ROSI