Cybersecurity: There isn’t any Pixie Dust

Almost always, when I discuss improving cyber security with a system owner, I get the message that they expect “Pixie Dust”.  Now, they don’t come right out and say it this way, but that’s what their message amounts to.  What do I mean by Pixie Dust?  Let’s look at what systems owners expect and say.

System owners typically have existing systems that have been built up over many years, at great cost and effort, and have a base of developers, maintainers, and users who are quite happy with the status quo.  The last thing that the system owner wants is change.  Change to anything.  Change is scary.  Change is risky.  Change is expensive.  The idea of adding cyber security alone is nearly causing panic for these system owners as it is.  The thought that the system itself may need to change is not even allowed to cross their minds.

After all, they’ve been endlessly informed that cyber security is the IT department’s job.  That their precious system lives in an enterprise and the IT department will provide cybersecurity for that system.  So, of course the thought that their precious system itself is insecure and, must be made secure, is quite a stretch.  Furthermore, when told that they need to secure their system the owners believe this means some additional security hardware will be added to their networks.  Hardware that won’t interfere with the operation of their system of course, and that they won’t have to maintain or deal with in any way.  Or, in the worst case, perhaps a small, barely noticeable process will be run on their machines, much like a fancy virus checker.  That’s something the system owners can relate to, as they have virus checkers on their home PCs, and it’s not so bad.  A small process on their machines won’t really interfere with anything, so that burden can be borne without a heart attack.

What the system owners expect is the security people to come in and do their job while they go to lunch.  When they get back, their systems will now be secure, and they can go on with their business as if nothing ever happened.  In other words, the system owners expect Pixie Dust.  They think that while they’re gone munching on lunch, the security people will take out their magic pouch, grab a pinch of Pixie Dust, and sprinkle it on the system, and magically the system is now secure.

Well, I hate to be the one to inform the system owners, but there isn’t any Pixie Dust.  The real issue is that over the years, the systems we’re built up without the kind of security that we have in mind today.  So, the system itself will need to change.  That usually ends the conversation.  And why not?  Other purveyors of security systems actually do promise Pixie Dust.  They say we have the best firewall, IDS, IPS, machine learning, anomaly detection, cyber gadget du jour, etc. available.  And all of this will not require you to change one iota of what you do with your system today.  Which pleases the system owners quite a bit, so they choose one of them.  Everyone else is choosing one of these Pixie Dust purveyors, so it must be OK. Right?

Perhaps that is why our systems are so insecure today despite spending an enormous amount of money and time on cybersecurity.  No one wants to address the root causes of the problem and fix them.  The systems themselves, and the foundational protocols and technologies on which they are built, are insecure.  Now that cyber attacks have moved beyond data systems to cyber-physical systems like robotics, medical devices, IoT, and industrial controls, the situation only get more dire each day.  And until the foundations are fixed, we will continue to have insecure systems, and stories of the latest attack on the cover of the Wall St Journal.

 

David Viel is Founder of Cognoscenti Systems, which is dedicated to building new, secure foundations for systems. Contact at: info@cognoscentisystems.com  Find out more at: www.cognoscentisystems.com

Leave a Reply