Getting it right matters in cybersecurity. A breach can damage a company’s reputation, erode market share, and provoke fines or other penalties that have a serious bottom-line impact. That makes it all the more startling to learn Professor Eugene Spafford and his co-authors Leigh Metcalf and Josiah Dykstra have detailed more than 175 areas where organizations get cybersecurity facts wrong in their new book, Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us.
Spafford, a renowned computer science expert and 2013 inductee into the National Cybersecurity Hall of Fame, joined Trend Micro’s Greg Young and Bill Malik on their Real CyberSecurity podcast to discuss where cybersecurity facts get off-track. They touched on cybersecurity as a discipline, the current skills shortage, the dangers of over-valuing efficiency, and the impacts of emerging technologies like blockchain and AI.
CYBERSECURITY FACT: There’s no one thing called ‘cybersecurity’
Organizations often see cybersecurity as a single, comprehensive function when in fact it is highly diversified and specialized. Architecture planning is radically different from app development, for instance, and incident response is by no means the same as running a NOC. Yet many HR managers and executives treat cybersecurity as a monolithic IT endeavor, hiring talent based on years of experience alone instead of by specific discipline.
“Someone who says that they have 20 years of cybersecurity experience—that may be true, but that may not translate to a position they’re seeking to fill,” says Spafford.
In Spafford’s view, the cybersecurity field can do something about this by better classifying roles and specializations to clarify the distinctions between them. The NIST NICE framework is a good start but more work is needed to come up with a complete and comprehensive breakdown.
CYBERSECURITY FACT: The skills shortage is not just a people shortage
As threats multiply, organizations are increasingly desperate to bring on skilled cybersecurity talent—and are finding it hard to fill positions. While there is definitely a need to attract more people into science, technology, engineering, and math (STEM) fields, it’s a fact that the skills shortage isn’t just about a lack of workers. Other structural problems keep enterprises from getting the talent they need.
A major one is lack of investment in on-the-job training to close the gaps between academic learning and practical skills development. That limits workers’ opportunities to gain the experience companies want, and can lead to organizations hiring less-than-qualified people, which creates vulnerabilities.
“There are places that will hire people who learned to code on their own and know nothing about code safety, know nothing about any issues, even simple things like buffer overflow or data anonymization,” Spafford says.
At the same time, companies aren’t necessarily taking full advantage of the talent that is available. Certain pools, such as military veterans, are underutilized and eager for new opportunities. All they need is some retraining. Notably, the U.S. spends only about a quarter of what the EU does on worker retraining.
And if businesses want more STEM talent, they also have the power to help cultivate it. Working with government and educators, companies can get involved with early outreach—promoting STEM careers to elementary and secondary students. Earlier exposure to STEM career options will also help diversify the talent pool, attracting a wider range of people to the field. (Vietnam has coding classes for students in Grade 2.)
CYBERSECURITY FACT: Cheaper and faster isn’t always better
Most organizations have internalized cost control and speed to market as general business values by most organizations. But putting dollar-driven efficiencies before all else can have unwanted consequences when it comes to cybersecurity.
“The fact that we continue to prioritize cheap and fast over safe and secure and private is the thing that really bothers me the most,” Spafford says.
He points to the example of software development. Very often new products reuse legacy code and other assets—reconfiguring them to suit new purposes by switching off features and the like. But the fact is that legacy software isn’t contextualized for today’s threat environment. Even if it was secure in its original use, it may bring unknown vulnerabilities to a new scenario. While reusing it may be affordable and efficient, it can actually make an organization more susceptible to cyberattacks.
New thinking is needed to come up with meaningful metrics for security and privacy that can be weighed against cost and time so that organizations can have a clearer picture of the overall impact of what they’re building.
CYBERSECURITY FACT: Technology alone won’t save the day
Technology has been, and will continue to be, an essential tool for cybersecurity. But too often organizations get caught in hype cycles that cloud the pros and cons of new solutions.
Not so long ago, blockchain was touted as the savior of data integrity. Yet it’s turned out that blockchain is almost never needed and nearly always more expensive and cumbersome than existing alternatives. A centralized database with locking and good logging is almost always a better solution than deploying a blockchain.
Now generative AI large language models are being adopted at an incredibly fast pace, promising massive efficiency gains. To be sure, generative AI does have compelling applications for cybersecurity, but it’s not ready for prime time yet. Vulnerabilities in scraped or open-source code can reappear in new AI-generated code snippets and put an organization at risk. In a survey of companies using AI in a formal way, Addictive Tips found that half (50%) had had an AI-related privacy breach.
“Failing to understand what these are trained on and how they leak proprietary information, violate copyright, and generate just outright plain false responses is going to take a while for people to really understand,” Spafford says. “I think there’s great potential to the technology, but it is being way oversold.”
Enterprises are better off putting their faith in sound cybersecurity policies and then choosing the right tools to implement those policies. Generative AI may end up being part of the mix, but no business should put all its eggs in one basket.
Challenge all assumptions to get your facts straight
When it comes to cybersecurity, what you don’t know can hurt you—a lot. Organizations need to examine and challenge the presumptions and preconceptions they bring to the table, take advantage of resources like Spafford’s book, and anchor their cybersecurity strategies in good, clear frameworks as a foundation to protect themselves from evolving threats.
Next steps
For more thought leadership on cybersecurity and cyber risk, check out these other resources:
- Real CyberSecurity podcast featuring Eugene Spafford
- Cybersecurity Benefits of Generative AI
- Cybersecurity Myths and Misconceptions: Avoiding the Pitfalls that Derail Us—an excellent resource for cybersecurity professionals, non-technical personnel, and new hires