What are some fundamental issues that impede cybersecurity?

1.3k views7 Comments

Founder/Chairman/CTO in Telecommunication, 201 - 500 employees
I believe that security's fundamentally a design and marketing problem. It's a marketing problem in the sense that you need to understand that you need to be more secure in order to take a preventative action, because you're not there to do that. It's something that happens as an afterthought, so there's a degree of awareness that's involved. But from a design standpoint, how do you make it easy? That has a lot to do with the difficulty of words in the security space. If you ask 10 CISOs what a pen test is, you'll get 10 different answers. How do you reduce that back to what they're looking for out of that solution? And how do we make sure that we can still call something a pen test so that we’re able to have the meeting in the first place?

It's such an interesting balancing act. I often tell the product marketing and sales folks within Bugcrowd that we're built on top of unintended consequences as an industry, so we should expect that words are hard sometimes. It's painful, inconvenient, annoying, etc. But when you think about how we got here in the first place, it's not that unpredictable. Predicting and working in spite of that is at least a starting point.
CIO/CISO in Healthcare and Biotech, 11 - 50 employees
The most glaring issue impeding cybersecurity today is, quite frankly, the acceptance of the flawed premise that cyber professionals can "do it alone". The key pillars of people, process and technology don't work until we can charge ALL of our people, cyber or not, with the protection of our respective organizations. More investment is needed in education., awareness, drills etc. to hammer home the point that we will not get anywhere unless everyone is empowered to fill in the most glaring gap in cyber risk, the end user.
CISO in Software, 10,001+ employees
Technical debt for existing and legacy systems that requires investment and collaboration across all roles to advance systems to modern state of protection, detection and automated remediation.  As others have cited, it is not about security being alone, it requires ownership and participation from all roles.
Director, Security Operations in Telecommunication, 501 - 1,000 employees
1. That there is a "silver bullet" that solves everything.
2. That cultural view that Cybersecurity is the responsibility of the "Security Team" and not "everyone"
3. That there is no real ROI for investments in Cybersecurity.
4. That until something bad happens, there's not enough budget or focus given

5. That there are just as many "snake oil sales men" out there now as there are actual practitioners.
6. That to be considered "successful" in the cybersecurity space, you have to be well-known and  have a lot of followers on social media.
Director of Information Security in Energy and Utilities, 1,001 - 5,000 employees
The perception that security is a binary number, either you are secure or insecure, when the name of the game is a risk management exercise.  But cybersecurity is still a relatively a new field.  We lack history data like the insurance industry. Probability is a gut feeling for the most part.  It is hard to tell when there is enough security.  As a security practitioner, I think we will continue to be in this state for awhile. 
CISO in Software, 201 - 500 employees
The lack of "easy and straightforward" answers and the digger you deep, the more the uncertainty grows. Moreover, there's rarely an easy solution for any open security issue you are facing -- and if that's the case, you are probably not doing your job because the easy stuff should have been already done anyways. 
Technology Compliance Director, Information Security in Travel and Hospitality, 51 - 200 employees
There is soooo much money to be made hawking the latest and greatest cyber-panacea, that it becomes difficult for corporate security staff to tell which products are security theater and which are actual security benefits.

We get our industry and governmental alerts, CVE reports and so on, but these outlets tend to be very tactical and part of a short term response.  

Crafting a long term strategy that has the flexibility to morph as the security challenges change is the real hard part.  Almost all of the notifications I see about adapting to future challenges are paid for by a vendor that has clearly solved the entire problem and no one can survive without their product (sarcasm).   It’s hard to focus the limited budget and staff on the long term issues.

Doing product pilots is time consuming and requires resources from operational teams.  The clock is still moving and the aggressors are tuning up for the next variation, but we’re trying to decide which products have real value for actual security.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
47.1k views133 Upvotes325 Comments

Malicious use of AI algorithms for targeted cyberattacks20%

Unauthorized access to sensitive AI models and data68%

Adversarial attacks compromising the integrity of AI systems9%

Lack of transparency and explainability in AI decision-making processes3%