We’ve Got to Re-think IT Security

This is the first article in a four-part series based on Matthew Warner's cybersecurity manifesto, "The Industry Approach to IT and Cybersecurity Is Not Working." As CEO and Co-Founder of Blumira, Matt draws on more than two decades in cybersecurity to argue that throwing money and resources at the problem will never get us ahead of purpose-driven attackers. This series serves as a practical guide for IT leaders navigating the complex world of cybersecurity through operational resilience rather than an endless arms race.

We’ve Got to Re-think IT Security

When I founded Blumira in 2018, the sting from WannaCry was still fresh – and the NSA had “definitely not” lost their secret cyberweapon to nefarious attackers. The cybersecurity community experienced Emotet in 2014, Stuxnet in 2010, and we can look back even further. There are more attackers on both the nation state and organized crime side, and they’re more sophisticated, but their attack methodology hasn’t changed all that much. The biggest change is the increasing impact that ransomware has on company and organizational operations. 

We know why cyberattacks will persist. They’ve become a reliable source of revenue for funding geopolitical conflicts and globalized crime networks. An attack is inevitable. It just is. We see it every week. The question is, how do you stop it without sinking unlimited amounts of money into the problem? Because you’ve actually got a business to run.

In cybersecurity we like to talk about defensive and offensive strategies. In practice, these concepts don’t mean much to the average IT person. Sure, you can schedule an annual “offensive” penetration test. But what does it matter if you know it’s going to be a bloodbath because you haven’t had the time to fix anything from last year? Your leadership may ask that you shore up “defenses” by handing everything over to an outside service like an MDR or SOCaaS. Is that the best strategy, or is it just that they’re not sure you can handle cybersecurity internally? Either way, the good guys will always be at a disadvantage trying to run operations while fending off relentless attackers. Throwing more money and bodies at the problem isn’t sustainable. Like it or not, cybercriminals have a focused strategy. And our strategy doesn't always work to thwart them.

The size and shape of the problem

It's estimated that damage from cybercrime and cyberwars will cost more than $10.5 trillion by the end of 2025. That’s around 7% of annual global GDP. It’s hard to believe, but that means that in one year the combined GDP of India and the UK is going into the coffers of this never-ending scourge. You can say that some of these numbers may be overinflated, and I have my own suspicions, but the Europol and the UN Office on Drugs and Crime came out with their estimate that around 5% of the world’s GDP is being laundered. However you add it up, the scope is huge.

It’s the civilians who are truly impacted. We know that a persistent attacker from a well-funded team will be successful breaching an organization 99% of the time. They may not get all the way in, and they may get caught, but they’ll keep trying because they’ve determined that there’s a target of value. We call these the “purpose-driven” because their motives are single-minded. On the other hand, it’s hard for folks in the business world to fully defend themselves because they’re trying to keep the lights on, make money, and keep people employed. Attackers leverage earnest, industrious motives as weaknesses they can exploit.

IT and cybersecurity are the ultimate thankless jobs. Few people cheer when nothing happens: “Tell us again what you guys are doing all day?” And everyone looks for a place to stick the blame when something goes wrong: “We increased your budget, so how did the bad guy get in?” Visible successes, well, that was someone else’s idea. This takes a toll on the front line – even when their days are just a lot of mind-numbing screen watching. Blumira is dedicated to the idea that stress and burnout don’t have to be the hallmark of an otherwise meaningful career.

After all, there is one advantage you’ve got on those purpose-driven attackers. You know your business and you know how it operates. But that’s also why the solution to protecting your IT environment can’t be outsourced – as tempting as that may be. After all, we’re still living in a reality where cybersecurity workers are scarce and expensive. Yet we expect someone else will be able to find, train, and retain workers who have the knowledge to protect any environment from afar. The fact is, external entities can support you in a variety of ways as part of your IT security process, but they aren’t at your holiday parties - or in your Zoom calls.

Yes, you’re going to have to take responsibility for your own security, leveraging third parties for support. You simply cannot outsource risk. The solution lies in an approach focused on operational resilience rather than an unsustainable arms race against relentless attackers.

In my next article I’ll examine the evolution of IT security and take you on a journey back to the 1990s.

Matthew Warner, CEO and Co-Founder of Blumira, started writing what he calls his ‘manifesto’ in 2023. More than two decades in cybersecurity had convinced him that the money and human resources being thrown at the problem were never going to get ahead of purpose-driven attackers. Matt called his manifesto “Our Approach to IT and Cybersecurity Is Not Working,” and it forms the basis of Blumira’s approach to protecting organizations through operational resilience and experiential growth.

Now, we’re sharing Matt’s thinking in a four-part series that can be used as a guide for IT leaders and decision makers navigating the complex world of cybersecurity. Read about Matt’s unique take on:

• The history and current state of cybercrime, cybersecurity, and defensive tools.
• Leadership challenges in assessing modern threats and evaluating evolving technologies.
• Understanding the human element and psychological impacts of desensitization, normalization, and constant fear.
• The benefits of shifting strategies from threat-centric to operational excellence.
• Selecting cybersecurity tools based on organizational maturity and internal capabilities.
• Actionable implementation steps, training recommendations, and a tool evaluation framework.

Join the conversation – if you’re an IT or cybersecurity professional, let us know your thoughts!