“The Hitchhiker’s Guide to the Galaxy,” by Douglas Adams, could actually be a guide to cybersecurity if read in a different context. The crux of the problem in present-day cybersecurity practice is summed up in this exchange from the book:
After seven and a half million years of computing, “The answer to the Great Question of life, the universe and everything… is Forty-two,” said Deep Thought, with infinite majesty and calm. “But it was the Great Question! The Ultimate Question of Life, the Universe and Everything,” howled Loonquawl. “What is forty-two?”
“I checked it very thoroughly,” said the computer, “and that quite definitely is the answer. I think the problem, to be quite honest with you, is that you’ve never actually known what the question is.” And so another, even bigger computer had to be built to find out what the actual question was!
No one is spending time to ask the right question. While a security analyst is busy deciphering 600-page reports and a CISO negotiates an increase in the year’s cybersecurity budget, the board only wants to know if their organization is secure. To answer that question, Dmitri Alperovitch, who discovered Operation Shady RAT, said, “There are only two types of companies—those that know they’ve been compromised, and those that don’t know.” Former FBI director Robert Mueller took it a step further, adding, “And even they are converging into one category: companies that have been hacked and will be hacked again.”
Cybersecurity is not how many breaches you’ve detected or prevented, or how many vulnerabilities were patched; it is not how many times you’ve trained your employees, whether you’re in compliance with regulations or the amount of malware detected. Given everything organizations are doing to secure themselves, like Loonquawl, they’re still failing to ask – and correctly answer – the right question.
In my opinion, that question is, “How likely are you to get hacked, today?”
The answer to that is based on two other unanswered questions:
1. How current, or real-time is your information?
2. Are you quantifying your cyber risk?
For organizations to get…