Gartner, Metallica and Why - A Cybersecurity Journey, Part 1

Last month, Gartner released their Top Cybersecurity Trends for 2023. In it, the author identifies nine industry trends where they believe Chief Information Security Officers (CISOs) and Security and Risk Management (SRM) leaders must reevaluate the balance of their investments. These areas are: Human-Centric Security Design, Enhancing People Management for Security Program Sustainability, Transforming the Cybersecurity Operating Model to Support Value Creation, Threat Exposure Management, Identity Fabric Immunity, Cybersecurity Validation, Cybersecurity Platform Consolidation, Composable Businesses Need Composable Security and Boards Expand Their Competency in Cybersecurity Oversight. It’s an interesting and insightful read, and something CISOs and SRMs should have a look at. But while I found the content interesting and dare I say inspiring (I do indeed…but only a bit), what was not covered in the report is the “why”; why do security leaders need to rethink their approach? What is the impetus behind the scenes that would compel them to actually change?

Why People Change

People in general change for three potential reasons: need (If I don’t quit/start doing X, something bad/good is/isn’t going to happen), desire (I want to take a different path) and opportunity (In the current circumstances, I am now able to do something differently). Without at least one of these factors being met, change is unlikely to occur in anyone.  There are no exceptions to the rule. Think of any story, real or fictitious, in which the protagonist was not in possession of at least one of these factors.  From the Epic of Gilgamesh to Guardians of the Galaxy or Ernest Shackleton to Matthew Stafford, change is always preceded by need, desire or ability.

With that in mind, which motivator do you think will compel the change that Gartner thinks is necessary in 2023 and beyond? Do CISOs and SRMs NEED to make changes for some reason, do they have a newfound DESIRE to make changes, or do they finally have the ABILITY to make the changes they’ve wanted to make all along? Let’s take a bit of a deeper look at each of these elements and see if an answer emerges.

Need

Data breaches and cyber incidents have been taking place for 30+ years. With the exception of Uber CISO Joe Sullivan, for whom a 15 month sentence was recently recommended by federal prosecutors, but was only given probation and community service, nobody has gone to jail for failing to protect their organizations. Now this failure has not been due to a lack of effort, budget or prioritization, but failure is failure, regardless of how hard you try. I think CISOs and SRMs are by and large very intelligent, capable professionals that genuinely want what’s best for the companies they serve. But we are not talking about effort or budget or prioritization, we are talking about need. 

Why do they need to make a change and do something different? Are they facing legal scrutiny (providing a defensible position of reasonableness)? Are they facing civil or criminal charges? Will their positions be in jeopardy or eliminated? No, no and no. There is no pending legislation, no increase in regulatory fines that I am aware of, and there are no criminal charges to be faced for being breached. So while I don’t doubt there is an altruistic need to improve organizational security when the term is used as an adverb, but there is not a need per se, when the term is used as a noun.

Desire

This is a tough one since I am casting a very wide net that is laden with generalities, most of which are only going to be marginally accurate (a verbose way to say I’m guessing). But, with 25 years in the industry and 2,500 data breaches under my belt, I’d wager I can make a decently educated guess. 

Desire is rooted in the hope of a better future state. I have a desire to play guitar like Kirk Hammett, so I changed my daily routine, to allow myself the time to practice guitar daily. I have a desire to maintain my fitness levels in my 50s, so I changed my daily routine to allow for one hour of exercise. I want a specific future state (being fit and being able to shred like Kirk) and therefore I make the adjustments necessary to achieve that thing. Seems pretty straightforward, right? 

Well, why will 2023 be the year that desire in CISOs and SRMs suddenly manifests? Why didn’t it happen in 2022 or 2021? It’s not like we’re facing a new phenomenon since incidents have been occurring regularly for more than 30 years. So, I am not saying that CISOs and SRMs don’t genuinely want their environments to be more secure and make things harder on threat actors (TAs), I have no doubt that they do. What I am doubting is the sudden emergence of a previously absent desire.

If CISOs and SRMs are going to have the desire in 2023 to make their organizations more secure, then they likely already that desire it in 2022 and 2021. That means that there is unlikely to be something new that spurs that desire across the industry, it was either there to begin with or was absent.

Ability

This category of change is focused on change in your circumstances that allow change to take place. For example, I’ve always wanted to play guitar like Kirk Hammett, but I couldn’t afford a sweet Gibson Les Paul Studio upon which to shred. Since my grandma gave me birthday money, I now have the cash to buy the guitar I need to start playing Master of Puppets properly. Grandma’s cash gave me the ability to make the change I wanted.

Remember I said that you need at least one of these change elements for change to manifest? The ability to change is rarely found in isolation and is typically coupled with either need or desire. In my simple example, buying a Gibson Les Paul didn’t make me automatically able to crank our Battery. I had to both have the ability to change (thanks grandma) AND the desire to adjust my schedule to allow for daily practice.

What is the cyber equivalent of a present from grandma? Is there some new technology or capability that was introduced at RSA this year that is going to give CISOs and SRMs a much-needed upper hand in the fight against our adversaries? Will AI or ChatGPT to be answer we’ve all been waiting? Maybe, but as the Magic Eight Ball says, “Ask again later” (these technologies are available to the bad guys too). Even if some new technology did emerge in 2023, it would have to be partnered with either need or desire to create any sort of meaningful change, and we’ve already explored how unlikely the appearance of those elements is. Sigh.

Now What?

Well thanks Chris, you have now sucked the life out of my desire to be a cybersecurity rock star, not entirely unlike Kirk Hammett, and I am just a sad sack looking for a place to lie down and lament all my woes. Apparently, there is no need, desire or ability for CISOs and SRMs to make meaningful changes, so why go on? Why not just continue with the status quo and do the same old things and get the same old outcomes? There are some successful companies like Mandiant, CrowdStrike, Palo Alto and Kroll that are making a pretty good living off the status quo, so why upset the apple cart? Why indeed!?

The answer then to my original questions, which I think is somewhat pessimistic, but unfortunately is the reality that I see, is that it’s likely that nothing will change in 2023. 

So, what can be done? How can CISOs and SRMs make a real and lasting impact on their organizations and the cybersecurity community as a whole? How can need, desire and ability be injected into the industry and compel the change we all appear to want?

Check out my next article, titled “Freaking Change Already”.