[BreachExchange] There’s Simply No Such Thing as “Good Enough” in Cyber Security

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 2 18:44:03 EDT 2017


History tells us that there comes a time when almost every new innovative
service starts to lose ground to a “good enough” competitor.  In fact, many
of the products that we buy are much cheaper than the original models,
because competitors cut corners to make something that is good enough to
fit our needs at a cheaper price. As a director of operations, I can fully
appreciate a lower priced option that still fits the needs of my

But good enough, could spell trouble, especially as this mindset creeps
into the cyber security industry.  If fact, I’d go so far as to say the
single greatest cyber threat to organizations today is the “good enough”
standard that’s being sold by key players within the cyber security

For example, many vulnerability scanning tools have been developed over the
years and have become a crucial part of organization’s every day security
posture.  These scanning tools provide valuable insight into out-of-date
patches and vulnerabilities that have been publicly reported.  The problem:
most organization’s vulnerabilities are not publicly known. We’re talking
about nearly 90%! What does that mean?  A vulnerability scan, or a scan
based penetration test will not identify those unknown vulnerabilities.
That’s a high price to pay for good enough.

Still, this good enough mentality is easy to justify from a business plan
standpoint. For the buyer, a scan-based penetration test or vulnerability
scan takes less time and is more cost effective. For the service provider,
it’s very hard to get and retain employees who have the skillset required
for manual penetration testing, so it’s easier – more cost effective – to
just hire less skilled individuals to run automated processes and go
through a manual checklist at the end.

I mean, customers don’t know the difference, right? Isn’t this good enough?
Many are certainly falling for it, hook line and sinker, and the mindset
has started to dominate an industry that should have no tolerance for
anything less than second best.

In order to overcome this mindset, customers need to start asking the hard
questions and evaluating their cyber security strategy: what exactly am I
getting for my money? What is the risk I am facing? Am I settling with
“good enough” or doing everything I can to secure my organizations and
customers? The security industry needs to evaluate the value they are
selling to customers and start asking some hard questions as well: is this
really securing my customer? If not, do they understand exactly what they
are buying or are you providing them a false sense of security?

At the end of the day, hackers are leveraging the vulnerabilities of not
only the organization’s network but also the security industry itself to
exploit, gain access, and take whatever it is they are after. Let’s not
make it easier for them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170502/5528f493/attachment.html>

More information about the BreachExchange mailing list