How Did We Get Here?

This is the second article in a four-part series based on Matthew Warner's cybersecurity manifesto, "The Industry Approach to IT and Cybersecurity Is Not Working." As CEO and Co-Founder of Blumira, Matt draws on more than two decades in cybersecurity to argue that throwing money and resources at the problem will never get us ahead of purpose-driven attackers. This series serves as a practical guide for IT leaders navigating the complex world of cybersecurity through operational resilience rather than an endless arms race.

How Did We Get Here?

The  first article of this series exposed how our current methods aren’t making headway against persistent, purpose-driven attackers. Now let’s take a look at how we got to this point.

Security is not a new topic in IT. Yet somehow every year a silver bullet is invented to solve for the latest trend. In some cases it’s an amazing technological leap; in others, it’s more like a unique application. If we’re going to be honest, though, it’s often just another box of blinking lights. In the past that shiny new box would sit in a rack; now it sits in an auto-renewing SaaS contract. In the grand scheme of work, ITSec departments have modern engineering efforts thrust upon them which they then have to apply to the inevitably slow-to-evolve business.

It's helpful to put the history of IT security into context. If the average senior executive is around 49 years old, that means they started their career between 1992 and 1996. The Cold War was ending, Java was just being introduced, Buffy was slaying vampires, and Ace of Base - The Sign was the top song. It all seems like ancient history. But even then there were complex cyberattacks. It’s just that they were largely unseen because not even 2% of the world’s population was online by 1994. AOL 2.0 was released that year, and we were still relying primarily on Windows 3.1 and NT. 

You can’t blame those senior executives for where they are now. There just weren’t a lot of opportunities during their formative years to be steeped in technology. This has likely shaped how they perceive the need for technology in IT – it’s there to keep the lights on, not necessarily to improve the organization’s posture. Moreover, they’ve probably seen their share of bad reports from nitpicky auditors. Time and again they’ve budgeted for newly “needed” technology only to have it fail – or get acquired and ruined. Experience has made them into IT skeptics.

Fast forward to today. Modern technology and globalism allows us to watch and learn from everyone who’s being brutalized by cyber-attackers. We can write whitepapers and post commentary on what could have or should have been done differently. But here’s my worry.

It’s like sprinkling your house with a garden hose while waiting for a spark to fall on the roof.

Is The House On Fire?

You could argue that the evolution of IT infrastructure isn’t aligned with the evolution of our capabilities. Importantly, the adoption of third-party and cloud services requires people to have access outside of traditional solutions like intranet/VPN-accessible shared drives. An expanded Internet-facing footprint is necessary in order to host externally-accessible resources everyone needs like public web pages and customer services. But since your Internet-facing assets are not totally locked down, it provides a much broader attack surface for nefarious actors. Without modern practices, IT is creating exposed target-rich environments for sophisticated attackers like CL0P and REvil who are already reinvesting their ill-gotten gains into targeted 0-day attacks like MoveIT and Kaseya

Even though the perimeter has shifted, the accepted solution is often still Managed File Transfer (MFT) facing the Internet but still within the network – essentially SFTP souped up with some extra automation, reporting, and permissions delegation. Locally-hosted file transfer services were good enough security 15 years ago, but not surprisingly, attackers have upped their game. Automated scanning and more sophisticated attacks make them a much easier target. Unfortunately, too many admins are still relying on old advice when they should be implementing newer practices like changing default ports and limiting folder access. They would have to get educated about options like reverse proxies that limit access to specified ports/resources while still being monitored by the firewall.

Any admin who isn’t steeped in cybersecurity on a day-to-day basis might google “how to share network drive with contractors” and follow the advice of a decade-old article that looks perfectly sensible – just implement the MFT solution. But this advice hasn’t kept up with the times. The problem is further complicated by the growing number of searches using chat with an LLM (Large Language Model). Since these models are trained on knowledge that’s both outdated and up-to-date, you may get old recommendations or simply nonsense.

In fact, we discovered an issue just like this on our own corporate website. With thousands of pages and links to keep up-to-date, we discovered that AI had indexed an obsolete PDF. Even that one conflicting resource can introduce errors in LLM-provided answers and make it difficult to verify the correct advice.

As environments get more complex and SaaS-first solutions mature, leaders might decide it's “safer" to outsource their headaches to third parties like managed service/security providers or managed detection and response solutions (MDR). They soon find out that solutions sold as “hands off” still require effort by the internal team to provide context and access. And the reality is that if something does go wrong, the internal team will be held accountable – after the damage is done.

The Toll On Humans

In a lot of organizations, the solution seems to be “add more bodies.” For small and mid-sized companies, that translates to “rent more bodies.” The not-so-surprising result of all this is a brain drain – much needed IT talent choosing to up their value by shifting over to cybersecurity, leaving critical seats vacant. So they leave behind opportunities to go deeper into IT architecture, instead attending bootcamps, getting certifications, and specializing in security without gaining historical experience of how IT, business, and security actually intersects. The word is out that cybersecurity specialists are a hot commodity. But it’s also not a secret that the job is one of burn-and-churn.

In 2023, Forrester identified that 66% of people in cybersecurity felt under significant stress. Nearly 20% consumed three drinks a day to deal with their stress (and we’re not talking about coffee). This doesn’t seem like a healthy industry in which to add 4 million (seemingly needed, although doubtful) new workers across the world in order to meet perceived demand. Worker shortages, significant skills gaps, and a generally high-stakes job can make for an untenable environment for cybersecurity workers. But it shouldn’t be their stress to bear. Anyone who has taken the Certified Information Systems Security Professional (CISSP) test, often required for IT leadership, knows that it requires acknowledgement that human life is important above all else. That really sticks with me. If we can’t respect the people operating our critical IT and security infrastructure, are we truly honoring that commitment?

In my next article I’m going to let you in on my diagnosis of the problem, and how our current situation impacts both organizations and individuals.