It Is Time to Retire the Hooded Hacker Guy Fawkes Image

You know, security is hard to get your arms around. You can’t buy it in the form of a product. And you certainly can’t get it by barely clearing the minimum compliance hurdles. It is a combination of people, processes and technologies that come together to ensure that the confidentiality, integrity, and availability of information assets (physical, virtual, data, etc.) is maintained.

Not so fast Mr. CISONot so fast Mr. CISO

One thing that has become apparent over the last few years is that the risks of failing to achieve security have been underestimated, leading to the demise of some high profile executives and more than a fair amount of frustration on the part of consumers. Worse, we’ve seen banking systems, critical infrastructure, military, intelligence, and political organizations suffering breaches as well. Adequate resources, financial and intellectual, have not been deployed effectively. Consequently, the ‘bad guys’ are winning and will continue to win until their asymmetric advantage is negated.

The popular press misreports what has occurred through speculation, disinformation, lack of understanding, and lack of access to the full set of facts. Even more subtle, every time we see a hack the press is quick to remind us that the culprit is a mysterious hooded figure or person in a Guy Fawkes mask. It reminds me of how the bogeyman had his mythos wrapped up in the fear of Napoleon. You may as well say all red team/aggressor activities are attributable to Vladimir Putin and all Blue Team / defensive activities are attributable to, well, me. It’s just as big a falsehood. And, I think this image causes executives, and others, to believe they have grasped the nature of the threat actor(s) and accompanying motivations. The image alone fools our brains into thinking something very complex is actually very commonplace.

Guy Fawkes is not really the culpritGuy Fawkes is not really the culprit

If we want to end the underinvestment in cybersecurity, perhaps we first have to start by putting this tired image to bed.

Update 10/14/2017 — I just found out Troy Hunt gave a talk where the introduction basically highlighted the same phenomenon.