no fix for cyber security in our lifetime

by Michael Werneburg
on 2016.06.23

You are here:
Risk topics
» Risk topics blog
April, 2018

March, 2018
· the planning fallacy

February, 2018
· Valentine's day vm backup plan

November, 2017
· the unsafe workplace and the body's response

October, 2017
· ISACA article is live

September, 2017
· published
· the Equifax breach
· Tracking Vulnerability Fixes to Production

August, 2017
· evaluating third party cyber risk

July, 2017
· getting it wrong with R
· de-identifying health information
· that's a lot of tracking!

June, 2017
· gaming Google news
· privacy in this day and age
· another record breach
· writing an industry standard
· ISACA article accepted

May, 2017
· Covey time-management quadrants
· safe harbor de-identification of health data
· an ISACA article

April, 2017
· my guide on managing third party risk
· PMP for five years
· metrics that matter
· 720 reads in 48 hours
· I lost my job

March, 2017
· farewell, SIRA board
· the message and the medium
· an interesting take on consulting


An article landed in my inbox today in which an expert from Marsh was quoted as saying, "Cyber as a pervasive risk will likely not be solved in our lifetime."

I have to say I agree. My focus is a bit broader than "cyber", but it's such an incessant problem and the stakes are so high that it easily caps the other broadly-bucketed issues that I'm tracking in my day job. To the point of solving it, though, it's the complexity of the problem, the way it tramples across organizational boundaries (and executive turf/ego), and the degree of change in mindset required that makes it so intractable.

As a small example, we're still dealing with the bring-your-own-device mess; how can we expect to improve our security stance when our leadership prefers convenience to rationality.

Far worse, the "Internet of things" problem simply has no technical fix. We'll never get those millions of devices back to the manufacturer for an expensive fix. We've permanently deployed an "Internet of insecure things" that are actively being used against the infrastructure underpinnings of the entire Internet. Permanently.

We've made improvements by leaps and bounds in developing standards that are effective and applicable. But they're applied at the organizational level only by those organizations that a) can afford them and b) are paying attention to the problem. Anyone that doesn't have both a) and b) isn't going to reach a baseline of competence. And unfortunately in our current economy it's the weakest link that determines the strength of the whole.

Judging from the way this has been going since the outset of my career in '94-'95, I'm quite certain that this is more than is going to be fixed in the remaining 20-25 years of my career, and believe it's also more than will be addressed in the remaining 30-40 years of my life.

big list