Why cybersecurity consulting should be boring and collaborative like public health

Why cybersecurity consulting should be boring and collaborative like public health

Nick Ellsmore, Director of Consulting and Professional Services (Pacific) at Trustwave, tells us that while state-sponsored cyberattacks get the headlines, there is plenty of pragmatic work that can be done to address the 99% of attacks that aren’t.

I’ve been a cybersecurity consultant for over 20 years. Well, I was an IT security consultant for a few, then had a shave and became an information security consultant for a few more, before putting on my best scarf to become a cybersecurity consultant more recently still. 

One of the things that has become very apparent over two decades of consulting and is now more important than ever, is that the role of the cybersecurity consultant is often misunderstood.

Consulting as an industry grew from the work done by Frederick Winslow Taylor’s ‘Scientific Management’ techniques of the 1890s. As with a lot of consulting still today, the intent of such techniques was to provide targeted specialist advice, allowing the client to obtain a competitive advantage in order to beat the stuffing out of their peers. Better, faster, cheaper: the three goals of competitive distinction. 

There are, however, areas of society and commerce where we need to come together and realize that we really shouldn’t ‘compete’ in the traditional sense. Given we’re living through the dumpster fire that is 2020, the pandemic response is a great place to conceptualise this. Do we really want restaurants to compete over who has the ‘best’ COVIDsafe plan, so that as a consumer you have to make an assessment of where you are less likely to catch a disease, or do we just want all restaurants to have an agreed upon, good practice operating model that has been verified by someone knowledgeable as being appropriate? 

If you’re like me, you’d prefer the latter. 

So do we want cybersecurity to be more like ‘disease prevention’ and have a collaborative response; or more like the local bake sale with 30 different cakes cooked in 30 different kitchens with 30 different sets of mildly contaminated cooking equipment? 

Generally speaking, customers quite rightly expect sufficient security everywhere, and want to be able to go to the bakery with the best cakes, or the best priced cakes, rather than having to figure out whether that particular bakery is more or less secure than the one next door, and hence more or less likely to turn your cake purchase into an unwanted adult website subscription, an awkward conversation and a cancelled credit card. 

No individual organization can afford to solve the problem on their own. With so much shared infrastructure, so many suppliers and business partners, and almost no ability to recoup the costs invested in security (since just as customers expect companies to be secure, they also don’t expect to have to pay extra for the privilege of not having their data lost), it is simply not cost-viable to throw the amount of money really needed at the problem. Which, incidentally, is why we keep going around in circles saying that budgets aren’t high enough – they aren’t, if we keep doing things the way we’re currently doing things. 

Back to the role of the cybersecurity consultant. While it is true that our role is in part a straight forward exercise in providing expert advice, the underlying role is to change the way people think about cybersecurity. We need to demystify the topic, provide simple resources to solve future problems, and in many cases try to remove the need for us to return.  

Whether you believe in the ‘skills crisis’ or not, the cybersecurity market is unquestionably supply side constrained. That is, there is more work out there that needs to be done, than there are people to do it at the moment. There won’t be a silver bullet to address this, rather it’s going to take a whole range of initiatives in the areas of hiring, training, increasing diversity, increasing the take-up of shared services and managed services, increasing automation and changing underlying approaches to how smaller companies work with technology. 

While ‘the 1%’ of attacks – the state sponsored APTs – get a lot of media love, we can do a lot of good by helping organizations with very practical and pragmatic support to address the 99% of attacks that aren’t state sponsored zero-days. Templates, guidelines, sample documents, simple advice and guidance and other highly practical material is the core of what most organizations really need.

 Cybersecurity should be boring, because it’s the boring stuff done right and done consistently that makes the biggest difference. Addressing the skills crisis is just the same.