Despite industry best practices, there will always be security breaches

The recent article by Allen Gwinn demonstrates a gross lack of understanding of the fundamentals of cybersecurity. 

The title specifically refers to “industry best practices” which Gwinn defines with a link not to a cybersecurity company but to an article on a random computer services provider’s website not written by an expert. If Gwinn has the 40 years of expertise that he claims in all things cyber, he would be aware of the most commonly accepted cybersecurity industry best practices, which include minimally the Center for Internet Security Controls (CIS) and the National Institute of Standards and Technology Cybersecurity Framework (CSF). These, and many others created around the world by respected bodies, are peer reviewed and well accepted.

The reason I highlight these actual industry best practices, versus the article’s example, is that they all include an acknowledgement that there will be failures even in the best programs. The CSF, for example, defines a cybersecurity framework as “Identify, Protect, Detect, Respond, Recover.” In short, actual industry best practice is that you accept that even the best programs will experience an incident and proactively plan for it. Cybersecurity is not about perfection but, like all business functions, about risk management.

Cybersecurity programs have to balance providing the required services to potentially billions of people while protecting the systems and data in the process. While we don’t know yet what were the enablers of the Colonial Pipeline incident, you have to accept that the business had to connect control systems to the business network minimally so that it could bill its clients. This is not a trivial balance.

Many statements in Gwinn’s article are utterly nonsense — for example, saying that industry best practices box in administrators from seeing what is happening on the network, workstations and other systems. Again, detection is a critical control in all best practices. Crowdstrike, an internationally prominent company, literally does nothing but monitor systems and respond to incidents like those which Gwinn contends are not allowed. There are hundreds of managed detection and response products and services providers (here is a list of just 40) that do exactly what Gwinn contends that those supposed “best practices” prevent.

Regarding Gwinn’s contention that companies should never hire cybersecurity professionals from organizations that have been victims of data breaches, I would challenge him to point to any business or industry that hasn’t had business management failings. In 2019, banks lost $28 billion to credit card fraud. Financial organizations set aside $120 billion per year to cover bad loans. Yet, Gwinn does not address this concept and tell people not to hire some of the most prominent financial executives in the world.

Admittedly, there are many poor cybersecurity programs. However, unlike the “ivory tower” view that Gwinn has of these programs, poor cybersecurity programs are poor because they do not implement industry best practices like the CIS Controls and CSF. 

The reality is that there is a continuum in the quality of cybersecurity programs. However, the most critical factor in that quality is the level of management support and financing that cybersecurity programs receive. In all but a few organizations, in all industries, security executives often have countermeasures they know they critically need but cannot get the budgets to implement, because chief financial officers want to save money,  and disasters frequently result.

The CEOs of several large companies have been removed after previous data breaches because they oversaw and ignored critically flawed cybersecurity programs; often, those companies had not followed industry best practices. Other business leaders hamper their cybersecurity executives because they don’t want to spend money or interrupt business practices. 

Although Gwinn subsequently tried to backtrack on his statements that companies should never hire a cybersecurity professional who worked for an organization that experiences an incident, his limiting of that statement to cybersecurity leaders does not take into account all the dynamics impacting a cybersecurity program in a large organization.

Most people do not understand what it takes to implement a complex cybersecurity program that must simultaneously provide countless people with access and functionality while limiting that ability as little as possible — much as they do not understand what it is like to write trillions of dollars of loans while acknowledging there will be billions of dollars of bad debt in the process.

In my opinion, The Hill should not allow the limiting of a statement never to hire people but, frankly, should reconsider the publishing of Gwinn’s article as a whole. 

Yes, everything in the article sounded intuitively obvious and provided an obscure reference to a self-proclaimed “industry best practice,” but that is the definition of “specious.” Gwinn’s article is inaccurate on all of its critical assertions while grossly misinforming people who are not familiar with the topic. It needs to be represented as such.

Ira Winkler, CISSP, is chief information security officer at Skyline Technology Solutions and the author of six books, including, “Advanced Persistent Security.” He is a former National Security Agency (NSA) intelligence and computer systems analyst and is on the adjunct faculty for the University of Maryland Baltimore County Center for Cybersecurity, which has been recognized by the NSA as a Center of Academic Excellence for cybersecurity.