It’s Time to Change the Cybersecurity Metaphors We Use

The prevailing metaphor people use when they talk about cybersecurity is that of attack— of cyberwar and cybercrime. It’s understandable, but such language aims our solutions outward at the attacker, with tools focused on things like perimeter defense, threat assessment and analysis of attack surface. In short, we focus on the bad guys.

Contrast that with the notion that cybersecurity is all about keeping an organization’s systems healthy. Now our attention is turned to internal monitoring, avoiding risky behaviors, closing down vulnerabilities—the open wounds that let bad things take hold. We examine ourselves.

This isn’t a semantic issue. The focus on the perimeter—or how the bad guys are getting in this time—forces organizations to fight back on the outsider’s terms. They end up chasing after new tools to prevent the attack du jour, without thinking how those new tools might interact with the cyber defenses they already have in place. In short, organizations give up the home-field advantage that comes from having detailed knowledge of their own systems and data.

Consider phishing, where hackers try to entice people to click on bogus links in emails with the aim of stealing user credentials. The success of phishing gave birth to cyber tools that let users know if links are safe to click. Yet phishing is just one of many ways hackers steal credentials—they also do it via password guessing, keystroke logging, even stealing the sticky note on which a password is written. Deploying separate tools to protect against each of those attack methods isn’t practical. Two-factor authentication, however, makes stolen credentials useless regardless of how they are obtained. This is a solution that addresses the correct operation of a system, not the specific type of attack itself.

Regardless of how a breach occurs, there is a very limited set of actions hackers can take to execute an attack once they gain entry. These actions enable the hacker to become privileged users on the system and to steal, encrypt or corrupt data, or to execute commands that can cause the system to break down. Detecting and neutralizing these universal actions is easier and more efficient than trying to detect every which way those actions might be combined or every trick hackers might use to evade detection.

All of this makes a compelling argument for talking about cybersecurity in terms of health rather than attack. This change of rhetoric will get organizations thinking about systemic solutions based on their understanding of the systems they create and run. Now the bad guys don’t dictate the terms of engagement.  They can use whatever techniques they want to disguise their approach because the approach doesn’t matter. If organizations can stop hackers from executing, they don’t have to stop them from getting in.

One big benefit of this way of thinking is that organizations can achieve full protection with fewer solutions. They don’t need to constantly assess the threat environment; that activity becomes the purview of security researchers, not a task that needs to be done by every organization trying to secure a system. An attack by Russia is neutralized the same way as an attack by an amateur hacker because when it comes down to executing, they have the same set of actions available to them.

This may not be as glamorous or dramatic as the idea of engaging in a mind-to-mind “war” with hackers, but it is much more effective.