A permacrisis is a seemingly never-ending period of profound instability and insecurity.
It is the official word of the year – and many mainstream media pundits would have us believe that the popularity is because the world is on the brink of war while facing wave after wave of devastating diseases and airborne viruses.
However, if you work in infosec, you will know that this term also describes cybersecurity quite well.
Back in early 2020, we already had a shortage of skilled professionals, but then the pandemic required most enterprises to instantaneously transition nearly all roles – including the administrative ones – to work from home via Internet connections. What could go wrong?
As numerous enterprises (including Twitter) can attest, a lot can go wrong when a sizable amount of your privileged access is permitted to happen remotely.
What else is contributing to the cyber-permacrisis?
- Cyber-criminals are getting cleverer and more sophisticated at performing cyber-attacks.
- Technologies are constantly evolving but are not always accompanied by the improvements in cybersecurity that they require to remain safe.
- Managers are pushing their understaffed infosec employees so hard that many are burning out and either leaving or quiet-quitting.
- … and did I mention the brink of war thing yet?
Among all this, ask most executives in any reasonably sized enterprise how their cybersecurity is, and the response you will get (especially if you are a shareholder or customer) is total reassurance.
“Things are great.” Some of the go-to executive tropes you might have heard are:
- “We have never spent so much money on cybersecurity.”
- “Our security now is stronger than ever.” (Don’t mention the threats are even worse)
- “We recently invested in buying some additional security technology.”
Executives can be far more comfortable with half-truths than with the harsh realities – BUT – (and it is a big but, and I cannot lie) – those executive truisms are no longer safe. Why? Because they come from the era when the dwell time (the time between a devastating infiltration happening and it being discovered) averaged nearly a year, and even that time was fast if your enterprise cybersecurity was sucky enough.
It used to be the case that the worse your security was, the easier it was to pretend everything was OK.
With dwell times now averaging less than two weeks and ransomware prepared to wave the red flag for you (if you still want to stick the company head in the sand) – this is a permacrisis that needs a solution… and so here it is.
The Cybersecurity Permacrisis Solution
Solving cybersecurity has much in common with solving the Chinese finger trap. In a situation with scant resources, instead of squeezing them harder, you need to work them smarter.
In the same way that a finger trap is solved by pushing in the opposite direction to the one you expect, security problems are solved by taking the stress away from your staff and giving them the time, space, training and tools to overcome the problems.
Cybersecurity operations can now be highly efficient, but only if you make the investments to get them to that state.
The usual pushback is that “We’re too busy to release our limited staff for training/new security tool deployments…” – but to keep pushing your limited resources to sustain the impossible workload is a pathway to burnout and disaster (although not necessarily in that order).
Here is a taste of what you could achieve if you invest in giving your security team the space and time they need to straighten out your security environment. These are some of the newer infosec innovations and tools that can efficiently transform digital landscapes – if you let your existing cyber staff get up-to-speed on them:
Passwordless
In just a few years, passwordless technologies have gone from experimental theory to a relatively straightforward implementation that (with the right deployment design) can also support self-service and minimal manual interventions. Going passwordless also makes for an easier and more pleasant way for staff to log in to systems using fingerprints or face scans.
The other bonus is that for the systems and services that use passwordless, your organization no longer has to store those shared secrets (encrypted passwords), removing those large, attractive targets (aka password databases) from your digital ecosystem.
Containerization
Does your organization still use operating systems instead of securely configured containers and microservices to run your business software?
Bringing your teams (security and development) into the world of containerization can not only enhance security but also resilience and scalability. These systems work like Lego – substituting fat applications that need to sit in big, carefully prepared operating system environments with tiny building blocks that can be placed or replaced anywhere, centrally coordinated, monitored and secured.
Zero Trust Architecture
You may think the term zero trust is all hype – or hypothetical – but actually, it is pretty great.
Yes, zero trust architecture will take some time to be fully realized through any environment, but let us take a moment to understand what it is. For applications, services or sections of technology that achieve zero trust status, an enterprise no longer has to worry about networks or even virtual private networks. Each component is individually secured and able to exist without trusting any other connection by default.
More
Of course, there are more tasty cybersecurity treats available: genuine artificial intelligence-based threat monitoring systems, security operations center automation, upgraded extended detection and response capabilities, I could go on…
The important point is that this cybersecurity permacrisis will endure if you let it.
Enterprises that make the time and space for their security staff to learn and deploy the most efficient and proven new security principles can achieve levels of efficiency and security that will keep them safe.
The next time you are tempted to push your security staff harder, why not consider pushing them smarter instead – and giving your people the time and investment they need to implement the efficient and effective security you need.