This post is my take on two thoughts shared in conversations I’ve had at conferences. The first revolves around making security better by focusing on old-fashioned work (the so-called ‘boring stuff’) rather than chasing after the blinking lights. The other is about the economics of cyber crime. What stuck out to me was the evermore business-like conduct of the “bad guys”.
I spent the drive home thinking about the points made in these two conversations and how they fit with other things I have experienced. My conclusion is this, we are not just being beat at information security. Sadly, and more profoundly, we are being beaten by these groups in a much more fundamental way.
They are beating us at the boring stuff- management.
We’ve seen examples of malware propagators with service desks and tiered payment plans, automated procedures for updating their customers software to avoid detection by large anti-virus companies. In further examples, we saw repeated ways of them using their data better than us to make product improvements.
This quote from change management guru John Kotter’s book XLR8 sums up management;
“Management is a set of well-known processes that help organizations produce reliable, efficient and predictable results. Really good management helps us do well what we more-or-less know how to do regardless of the size, complexity or geographic reach of an enterprise.”
Extending on that quote and the thoughts on the boring stuff in security management, I’d say some of these groups are moving to beat us in the wider aspect of business management. If they are beating us at management in general, how much worse can it get? Check out this diagram from the same Kotter book (Loc 639 in my Kindle edition).
In the past, we faced ad hoc groups without specific goals and targets. Now though, the ‘bad guys’ are businesses, trading their wares out in the open and building organizational processes and partnerships to ensure their revenues. We know that has moved many of them to the plus side on the management axis. I believe they are also, at least in some cases, on the plus side on the leadership axis.
If we look at the points in the leadership square above, we see terminology such as “innovative”, “adaptive” and “energetic”. The actions we see in today’s nefarious groups reflect these criteria. They have for quite some time.
They use media well…
Protection of critical cyber systems: Canada introduces new legislation under Bill C-26
On June 14, 2022 the Government of Canada introduced Bill C-26, An Act Respecting Cyber Se…