Global cybersecurity spending is approaching $200 billion per year, "without actually preventing advanced persistent threats, ransomware, or other web-based malicious code," writes Matt Ashburn, Head of Strategic Initiatives for Authentic8. In a new treatise, the former CIA Cyber Security Officer and National Security CISO at the White House asks: "Why do such attacks continue to plague organizations?"
The paper, titled The Billion-dollar Security Blanket: How Security Spending Overlooks the Biggest Risk of All, examines why enterprise CIOs and CISOs keep investing in a "dizzying multi-vendor amalgamation of tools" - with little to no return on that investment to show for it.
So what does all that money actually buy?
A false sense of security, perhaps, posits Matt Ashburn. The average cost of data breaches still more than doubled in recent years, from $3.54 million in 2006 to $8.19 million in 2019. One effect, according to Ashburn: "The mindset of C-suite executives has shifted from 'if a breach happens' to 'when a breach happens.'"
According to one U.S. government analysis, the impact of malicious cyber activity now costs the global economy more than $100 billion per year, despite the crocheted quilt of security tools aimed at preventing and mitigating such threats.
As examples, Matt Ashburn mentions "secure web and e-mail gateways, malware detonation/sandbox appliances, identity and access control applications, patch and vulnerability management solutions, endpoint security, network analytics, in-line decryption, data loss prevention, cyber threat intelligence, artificial intelligence, machine learning, data science, security brokers, user behavior analytics, and so much more."
Tool fatigue, anyone? In A Boy Named Charlie Brown, the animated movie from 1969, Peanuts cartoon character Linus reminds us of the real purpose of a security blanket. It's not there to provide a solution.
Instead, it promises comfort in a sea of madness: "This blanket is a necessity. It keeps me from cracking up. It may be regarded as a spiritual tourniquet. Without it, I'd be nothing, a ship without a rudder."
How can CIOs and CISOs prevent their cybersecurity investment from being reduced to an "ineffective security blanket" (Ashburn)?
We need to face "the biggest risk of all" at the core of the matter, he writes: the decades-old, inherently vulnerable architecture of the local web browser.
Browsers have become the main gateway for malware, tracking, and de-anonymization, because they indiscriminately store and execute code on the user's workstation inside the target's network.
"If we think of the ever-growing suite of immature cybersecurity products as a potential security blanket," writes Matt Ashburn, "the web browser can be considered a stray thread. When tugged slightly by an attacker, it can unravel and dissolve the security blanket to reveal an organization's sensitive data to outside persons."
His paper describes how, by re-thinking the ubiquitous web browser and its connection to the internet, CIOs and CISOs can almost entirely eliminate their organization's internet risk surface. The Silo Web Isolation Platform enables them to provide users with the tools and access they need and free up resources needed to focus on more advanced threats.
Matt Ashburn has spent a big part of his cybersecurity career focusing on incident response and standing up Security Operations Centers, both in federal agencies and the private sector. In The Billion-Dollar Security Blanket, he draws on his understanding of the tough risk-based decisions CIOs and CISOs make to secure their networks, systems, and personnel, under the constraints of finite resources and authority.
Looking back on the many audits, cybersecurity incidents, and information assurance programs he participated in over the years, writes the author, he wished he had re-thought the concept of web browsing years ago.
"It's incredibly simple in hindsight, and I hope that others can benefit from this message."