Cybersecurity thinking: an argument for change


In his paper ‘The Human Vulnerability’, which is subtitled ‘Why the cybersecurity industry has been fighting the wrong battle for 20 years – and how we can reclaim the surrendered ground’ Chris Pogue puts forward a convincing, and compelling, argument for change. The big question is whether the industry as a whole can respond with an Obamaesque, ‘Yes We Can’ rather than continue building a Trump-a-like fence around the issue.

Chris Pogue is Senior Vice President of Cyber Threat Analysis at vendor Nuix, and also a member of the US Secret Service Electronic Crimes Task Force. A security veteran with over two decades of experience, Pogue has investigated thousands of breaches across the globe and can draw on experience as an ethical hacker, military officer and a SANS thought leader to boot.

Here at IT Security Thing, insiders with such a wealth of experience are our bread and butter associates; and we are well aware that a whole bunch of experience does not automatically an interesting white paper make. In this case, however, Pogue has pulled the metaphorical rabbit out of the hat. As well as being genuinely thought-provoking, this white paper provides all the ammunition to build a strategic battle plan and practical action plan for both the security industry and any organisation willing to take it seriously. And take it seriously you should.

Focusing on the meshing of technology, process and people in order to address the cybersecurity problem is not optional folks; it’s a must do.

“Cybersecurity is not a technology problem; at its heart, it’s a people problem.”

Pogue argues that the industry has, however, failed to see the light and instead has been “fighting the wrong battle with the wrong weapons” and doing so for 20 years no less.

“In the more than 2,500 data breaches I have investigated, I can count exactly zero that were caused by non-human-initiated system failure. Like it or not, people are the problem,” he insists, continuing, “do we have what it takes to outsmart our own brains and stop ourselves from repeating the mistakes of the past? Hopefully we can set ourselves up for the next 20 years, get serious about security, address the real human vulnerability, and start reclaiming surrendered ground.”

Having read it from top to bottom, it comes as no surprise to discover that this white paper is based on six months of solid research. It really does read more as a labour of love than the usual product marketing push in disguise we are so used to seeing here at IT Security Thing HQ.

Why has an entire industry with some of the most intelligent people on the planet fallen so short of its objective, it asks, and why are we so consistently defeated by cybercriminals? Pogue provides the answer to this introductory gambit in his very next written breath when he states that “cybersecurity is not a technology problem; at its heart, it’s a people problem.” Which doesn’t mean the rest of the white paper isn’t worth a read; it most certainly is.

“It does not take a brain surgeon to see that whatever the cybersecurity industry has been doing for the past two decades has, very simply, failed,” Pogue says, continuing along this path is obviously a fool’s errand, in lockstep with what Albert Einstein so accurately defined as insanity.” He attempts to find the answer to the question of why so many smart people have spent so much money and exerted so much effort yet made so little real progress.

That is something we must all ask of ourselves if we are to actually make an impact, to actually make our data safer. It takes a non-linear analysis to get started, and drawing on how other industries have dealt with the people problem.

“Our focus, as we move forward, should be on the patterns and tags associated with the marriage of people and technology,” Pogue concludes, adding “by reducing the number of human decision points through technology, we can dramatically reduce the opportunity for mistakes and failure.”