Five Critical Issues in Modern IT Security

This is the third article in a four-part series based on Matthew Warner's cybersecurity manifesto, "The Industry Approach to IT and Cybersecurity Is Not Working." As CEO and Co-Founder of Blumira, Matt draws on more than two decades in cybersecurity to argue that throwing money and resources at the problem will never get us ahead of purpose-driven attackers. This series serves as a practical guide for IT leaders navigating the complex world of cybersecurity through operational resilience rather than an endless arms race.

Five Critical Issues in Modern IT Security

Now that we’ve taken a look at the problems IT security is facing and what got us here, I’d like to dig deeper into the issues that I think are driving our current state. Then, in the final article of this series, I’ll outline some solutions and a practical way forward.

Security is big business, cyberattacks are increasingly pervasive, and IT can’t hire enough people to plug the gaps. Cybersecurity is what everyone is talking about, and you can see it in this chart: Search volume for “cybersecurity” overtook “information technology” in 2021, and there’s no going back. Yet, I could make the argument that our livelihoods have become a ho-hum topic. Despite more attacks, more visibility, and more knowledge about breaches, the world seems numb to what’s happening. Perhaps we shouldn’t be surprised. There are numerous studies that illustrate the desensitization impact of high exposure to potentially violent or stressful topics. It seems there’s an expectation that “someone” must be solving this gigantic problem, so why worry?

Back in 2005 companies were primarily concerned about computer viruses, with 52% of companies impacted. Now malware that’s spread through fraudulent ads is a norm. Twenty years ago, the antivirus industry was hitting $4B a year in revenue and growing quickly. Symantec, McAfee, and Trend Micro were the primary market holders. But as technology tends to do, improvements on the offensive side outpaced the antivirus industry. In response we saw next-generation antivirus introduced six years later to try to get ahead of new attacks. And so it goes. 

The blow-for-blow method of securing infrastructure through technology has created a flywheel of problem creation that’s significantly faster than the capacity to develop solutions.

Inside companies and organizations, cybersecurity has been fighting a valiant battle, but it’s exhausting. Even with a strong defense, cracks are inevitable. And asking for more budget usually isn’t taken seriously until something has already gone wrong. In many organizations, IT security is treated like a utility – important but not strategic. But without it the organization could cease to exist with one successful breach. So maybe it’s time to get strategic.

Here’s a diagnosis – issues I believe every organization needs to address in order to determine just how healthy we are in the face of purpose-driven attackers.

Desensitization to attacks

Cybersecurity is an industry obsessed with threats. Our resting state is continual vigilance to attacks. In categorizing potential attacks, we see them as things – incidents – rather than real people who are also strategizing their next move. De-personification of attackers feeds the desensitization to attacks. We have to remind ourselves that these are real humans whose job is to generate billions of dollars in revenue for their country or criminal enterprise. Automation and AI will only make it worse. If we leave everything to the machines, we risk being completely desensitized. Humans are required and they play a critical role.

Diffusion of responsibility

You can only do so much, and you have to make choices. So your organization chooses the perceived leader in security software and hands everything over to them. That’s not necessarily the wrong answer, but is it the right answer for you? Not if it means becoming a bystander in your own cybersecurity. There’s no getting around the fact that you have to take ownership of your IT security operations. MSPs and managed security services can be an integral part of your stack, but they need to be actively engaged with your internal team.

I’ve seen some companies try to solve the responsibility conundrum with compliance-enforced tabletop exercises. Participants play along, but usually don’t come out of the experience with a true commitment to responsibility and accountability. IT has to be fully tapped into critical business operations so they know who’s responsible for recovery and who can hold everyone accountable. It’s not about placing blame, it’s about taking action. A third party can’t do this. You must be responsible for your own environment, working with third parties to help you be successful within your identified needs.

Normalization of incidents

An incident is one of the most stressful events you’ll go through as an IT or cybersecurity practitioner. Moving from problem identification to containment and recovery is financially costly – but it’s even more of a burden to human cognitive resources. A breach introduces significant emotional harm to defenders and the organization under attack. Ask anyone what their first few breaches felt like, and you’re likely to hear things like “overwhelming,” “exhausting,” “frustrating,” “fight or flight,” “panic attacks,” and “whiskey.” Perhaps this is why we want to block the fact that there are people somewhere in the world with hands on a keyboard perpetrating these attacks. But they’re real.

It’s generally acknowledged that IC3 self-reported ransomware attack statistics are low, but if we just go by the 2024 numbers, an average of 15 organizations were ransomed every day. That means that every day there are tens to hundreds of people in the U.S. alone – from low-level IT folks, to company ownership – who are being impacted. Their trauma could potentially last for years. The sheer volume of this stress has been normalized by the fact that it’s constant and seemingly impossible to stop. 

Policy skewed by insurance

Cyber insurance seems to be taking the compliance torch out of the hands of PCI and other compliance frameworks, while at the same time trying to avoid a waterfall of ransomware cost. This has spawned some new policies. We’re seeing SIEM and EDR requirements being included in insurance, but to be honest that doesn’t make complete sense when you look at where the losses are coming from. (And yes, I’m saying that as the founder of a SIEM+XDR SaaS company). In 2023 Business Email Compromise (BEC) resulted in $2.9B of loss in the U.S. (That’s one of the main reasons Blumira provides Microsoft 365 monitoring for free). If the larger risk to organizations is accounts payable sending wires to fraudsters, you have to ask yourself whether you have the necessary visibility and insurance coverage to truly de-risk the organization.

It’s critically important to evaluate how you’re monitoring your environments, both on-prem and cloud. But if you’re only leveraging cyber insurance to drive policy protection decisions, you need to be fully covered. Be sure you’re making decisions based on the holistic needs of your organization, not just because an external regulator or insurer recommends it.

Psychological impact driving awareness vs. action

When an attack occurs, it can be difficult to ascertain the best path forward. This can be exacerbated by the fact that the time from initial breach to full control can take an hour or a month depending on the attacker’s playbook. Watching and waiting only creates heightened paranoia – and potentially overreaction. And that increases stress on every human involved. Remarkably, some organizations end up deciding that awareness is good enough – after all, there’s a business to run. Action can wait.

It pains me to say that I’ve watched more than one organization decide that the beachhead an attacker has is probably okay, and they can take time dealing with it because they’ve got a business to run. They neglect to play out the scenario and see the extent of the operational risk. Soon enough, they’re looking at a full ransom of the environment and significant impact to the company – a situation that could have been headed off at the pass.

The unthinkable has got to be thinkable

So you get yourself a bucket of tools to identify threats. If those tools are ignored, or if you don’t have the means to take action, you can produce all kinds of pretty reports – but you’ll be helpless in the face of a real incident. Not only will your organization be impacted, you could be personally fined and have to live with a stain on your professional life for years to come. This is an opportunity to grow your operational efforts around IT security beyond awareness so your whole team is ready to act when (not if) the “unthinkable” happens.

In my final two articles, I outline practical ways organizations can build resilient IT security involving a fusion of technology and people.

Matthew Warner, CEO and Co-Founder of Blumira, started writing what he calls his ‘manifesto’ in 2023. More than two decades in cybersecurity had convinced him that the money and human resources being thrown at the problem were never going to get ahead of purpose-driven attackers. Matt called his manifesto “Our Approach to IT and Cybersecurity Is Not Working,” and it forms the basis of Blumira’s approach to protecting organizations through operational resilience and experiential growth.

Now, we’re sharing Matt’s thinking in a four-part series that can be used as a guide for IT leaders and decision makers navigating the complex world of cybersecurity. Read about Matt’s unique take on:

• The history and current state of cybercrime, cybersecurity, and defensive tools.
• Leadership challenges in assessing modern threats and evaluating evolving technologies.
• Understanding the human element and psychological impacts of desensitization, normalization, and constant fear.
• The benefits of shifting strategies from threat-centric to operational excellence.
• Selecting cybersecurity tools based on organizational maturity and internal capabilities.
• Actionable implementation steps, training recommendations, and a tool evaluation framework.

Join the conversation – if you’re an IT or cybersecurity professional, let us know your thoughts!