Security Controls Fail – Why?

Three Trillion Reasons – One Answer

According to a recent McKinsey Report, by the year 2020, the total cost of ineffective security will reach $3 trillion dollars annually. That is a huge number and one fifth of the current US GDP. (Gross Domestic Product) As another comparison, according to Forbes, US Healthcare spending hit $3.8 trillion dollars in February of 2014.  How on earth, as a society, are we going to finance that? More importantly, why can’t we solve the problem?

Whenever faced with a question in life where the answer eludes me, I have always applied an infallible rule which inevitably leads me to the answer: “Follow the money.” The security crisis we are witnessing today is the convergence of two money trails. First, cyber criminals are motivated by financial gains, and secondly, countering cybercrime is big business with ever expanding solutions to the problem which organizations must purchase. Of course, there are other peripheral issues such as generational differences on privacy, emphasis on speed and convenience, etc. Still, the root cause boils down to money.

Why have we failed to solve our expanding security problems? In my view, it is for the same reasons civilizations fail, the same reasons nations fail, and the same reason organizations fail: people. Unless the collective culture, values, and belief systems are sound, almost anything will eventually fail.

I am not advocating here that we adopt draconian oversight which trumps individual liberties. If fact, I have grave concerns that we are heading down that path with organizations such as the NSA eavesdropping on everyone’s private lives and applying behavioral analysis on that data. Just as many medical and technology advances come out of military applications, here too, it will not be long before such Orwellian measures come to private industry. Quite the contrary, we need to shift our focus on individual responsibility rather than abdicate our privacy and freedom.

Consider the following two examples:

In the aforementioned McKinsey report, seven key tenets are mentioned:

  1. Prioritize assets based on business risks
  2. Differentiate protection based on asset importance
  3. Deeply integrate security into the environment
  4. Deploy active and proactive defenses
  5. Test continuously to improve response
  6. Enlist front line personnel
  7. Integrate cyber resistance into enterprise risk and governance

It is my view that “enlist front line personnel” should come near the top, and no later than number two after prioritizing assets.

Secondly, consider the 20 Critical Controls for Cyber Defense:


Out of the 20 controls listed, and all are good, sound, best practices, awareness is not even on the list.

The “find a technical solution to the problem” mindset is prevalent throughout the industry.  Quite often, when interviewing prospective security practitioners for roles in the organization, I often ask the question, “tell me about security.” A frequent answer or variation thereof is that “we need to defend against all threats.” Is that so? If so, then where does it end and can we ever sleep well at night? There will never be an end to threats as new threats will constantly evolve.

It is absolutely essential that we implement proper controls be they technical or procedural. However, we need to start focusing our investments on people because people always will remain the weakest link. No how robust our technical solutions become, one person can always find a way to cause our brilliant technology to fail. (I believe they call that Murphy’s Law.)

By investing in the people element, and changing the values and belief systems, we can achieve a secure digital world. But people need to know the answer to the most basic of questions: Why does it matter to me?” Exploring a different view of security awareness programs will be the topic of a subsequent post.

Leave a Reply