Risk Topics

no fix for cyber security in our lifetime


An article landed in my inbox today in which an expert from Marsh was quoted as saying, "Cyber as a pervasive risk will likely not be solved in our lifetime."

I have to say I agree. My focus is a bit broader than "cyber", but it's such an incessant problem and the stakes are so high that it easily caps the other broadly-bucketed issues that I'm tracking in my day job. To the point of solving it, though, it's the complexity of the problem, the way it tramples across organizational boundaries (and executive turf/ego), and the degree of change in mindset required that makes it so intractable.

As a small example, we're still dealing with the bring-your-own-device mess; how can we expect to improve our security stance when our leadership prefers convenience to rationality.

Far worse, the "Internet of things" problem simply has no technical fix. We'll never get those millions of devices back to the manufacturer for an expensive fix. We've permanently deployed an "Internet of insecure things" that are actively being used against the infrastructure underpinnings of the entire Internet. Permanently.

We've made improvements by leaps and bounds in developing standards that are effective and applicable. But they're applied at the organizational level only by those organizations that a) can afford them and b) are paying attention to the problem. Anyone that doesn't have both a) and b) isn't going to reach a baseline of competence. And unfortunately in our current economy it's the weakest link that determines the strength of the whole.

Judging from the way this has been going since the outset of my career in '94-'95, I'm quite certain that this is more than is going to be fixed in the remaining 20-25 years of my career, and believe it's also more than will be addressed in the remaining 30-40 years of my life.

© 2013 - 2019 werneburg information risk management inc.